From da7206ec29c44de321221e230b9689be5b0768ee Mon Sep 17 00:00:00 2001 From: Julius Volz Date: Fri, 12 Aug 2016 02:52:59 +0200 Subject: [PATCH] Fix rule HTML escaping issues This was mentioned as part of https://github.com/prometheus/alertmanager/issues/452 --- rules/alerting.go | 6 +++--- rules/alerting_test.go | 26 ++++++++++++++++++++++++++ rules/recording.go | 4 ++-- rules/recording_test.go | 15 +++++++++++++++ 4 files changed, 46 insertions(+), 5 deletions(-) create mode 100644 rules/alerting_test.go diff --git a/rules/alerting.go b/rules/alerting.go index f28ffa289..39b5906e1 100644 --- a/rules/alerting.go +++ b/rules/alerting.go @@ -324,15 +324,15 @@ func (r *AlertingRule) HTMLSnippet(pathPrefix string) html_template.HTML { alertNameLabel: model.LabelValue(r.name), } s := fmt.Sprintf("ALERT %s", pathPrefix+strutil.GraphLinkForExpression(alertMetric.String()), r.name) - s += fmt.Sprintf("\n IF %s", pathPrefix+strutil.GraphLinkForExpression(r.vector.String()), r.vector) + s += fmt.Sprintf("\n IF %s", pathPrefix+strutil.GraphLinkForExpression(r.vector.String()), html_template.HTMLEscapeString(r.vector.String())) if r.holdDuration > 0 { s += fmt.Sprintf("\n FOR %s", model.Duration(r.holdDuration)) } if len(r.labels) > 0 { - s += fmt.Sprintf("\n LABELS %s", r.labels) + s += fmt.Sprintf("\n LABELS %s", html_template.HTMLEscapeString(r.labels.String())) } if len(r.annotations) > 0 { - s += fmt.Sprintf("\n ANNOTATIONS %s", r.annotations) + s += fmt.Sprintf("\n ANNOTATIONS %s", html_template.HTMLEscapeString(r.annotations.String())) } return html_template.HTML(s) } diff --git a/rules/alerting_test.go b/rules/alerting_test.go new file mode 100644 index 000000000..9cba73562 --- /dev/null +++ b/rules/alerting_test.go @@ -0,0 +1,26 @@ +package rules + +import ( + "testing" + + "github.com/prometheus/common/model" + "github.com/prometheus/prometheus/promql" +) + +func TestAlertingRuleHTMLSnippet(t *testing.T) { + expr, err := promql.ParseExpr(`foo{html="BOLD"}`) + if err != nil { + t.Fatal(err) + } + rule := NewAlertingRule("testrule", expr, 0, model.LabelSet{"html": "BOLD"}, model.LabelSet{"html": "BOLD"}) + + const want = `ALERT testrule + IF foo{html="<b>BOLD<b>"} + LABELS {html="<b>BOLD</b>"} + ANNOTATIONS {html="<b>BOLD</b>"}` + + got := rule.HTMLSnippet("/test/prefix") + if got != want { + t.Fatalf("incorrect HTML snippet; want:\n\n|%v|\n\ngot:\n\n|%v|", want, got) + } +} diff --git a/rules/recording.go b/rules/recording.go index 258faf4b1..e40fbed5e 100644 --- a/rules/recording.go +++ b/rules/recording.go @@ -106,7 +106,7 @@ func (rule RecordingRule) HTMLSnippet(pathPrefix string) template.HTML { `%s%s = %s`, pathPrefix+strutil.GraphLinkForExpression(rule.name), rule.name, - rule.labels, + template.HTMLEscapeString(rule.labels.String()), pathPrefix+strutil.GraphLinkForExpression(ruleExpr), - ruleExpr)) + template.HTMLEscapeString(ruleExpr))) } diff --git a/rules/recording_test.go b/rules/recording_test.go index 7dd32392c..36b5ac1dd 100644 --- a/rules/recording_test.go +++ b/rules/recording_test.go @@ -68,3 +68,18 @@ func TestRuleEval(t *testing.T) { } } } + +func TestRecordingRuleHTMLSnippet(t *testing.T) { + expr, err := promql.ParseExpr(`foo{html="BOLD"}`) + if err != nil { + t.Fatal(err) + } + rule := NewRecordingRule("testrule", expr, model.LabelSet{"html": "BOLD"}) + + const want = `testrule{html="<b>BOLD</b>"} = foo{html="<b>BOLD<b>"}` + + got := rule.HTMLSnippet("/test/prefix") + if got != want { + t.Fatalf("incorrect HTML snippet; want:\n\n%s\n\ngot:\n\n%s", want, got) + } +}