Merge pull request #1133 from prometheus/escape-string-values

HTML-escape string return values in web UI.
2024-12-26 22:19:40 -08:00 · 2015-10-01 15:36:11 +02:00 · 2015-10-01 15:36:11 +02:00 · d025fcd4e2
parent ea7c077e81 3008a35c04
commit d025fcd4e2
2 changed files with 232 additions and 194 deletions
--- a/web/blob/files.go
+++ b/web/blob/files.go
--- a/web/blob/static/js/graph.js
+++ b/web/blob/static/js/graph.js
@ -601,7 +601,7 @@ Prometheus.Graph.prototype.handleConsoleResponse = function(data, textStatus) {
    tBody.append("<tr><td>scalar</td><td>" + data.result[1] + "</td></tr>");
    break;
  case "string":
-    tBody.append("<tr><td>string</td><td>" + data.result[1] + "</td></tr>");
+    tBody.append("<tr><td>string</td><td>" + escapeHTML(data.result[1]) + "</td></tr>");
    break;
  default:
    self.showError("Unsupported value type!");