escaping/sanitizing plugin output in nagios web interfaces

[Ton Voon]

On 9 Apr 2007, at 03:59, Ethan Galstad wrote:

> I think its a good idea to escape HTML whenever possible.  I think  
> these
> kinds of problems can all be avoided by simply escaping the < and >
> characters.  I've updated the html_encode() function and changed the
> CGIs to encode all plugin/perfdata output in the CGIs, as well as the
> command definitions in the config CGI.  I think I've got the code
> changed in all the necessary places.  Patches will be made the CVS  
> code
> (Nagios 2.x and 3/HEAD branches) shortly.

What about where we *do* want html passed through to the web  
interface? For instance, we have urlize which wraps the output with  
an <a href="..."> tag.

I would prefer Sean's suggestion of allowing "safe" tags. My drupal  
install has a "filtered HTML mode" which allows <a> <em> <strong>  
<cite> <code> <ul> <ol> <li> <dl> <dt> <dd>, which seems like a  
reasonable list to allow. Any other tags should be stripped, rather  
than just encoded, I think.

If you agree on a list of allowable tags, I can see this is useful to  
add to the plugins guidelines.

Especially with Nagios 3's multi line output, some filtered output is  
going to be a very useful way of getting data presented in the front  
end. The front end can also decide whether to display or not.

I would expect you always encode perfdata and command definitions.

Ton

http://www.altinity.com
T: +44 (0)870 787 9243
F: +44 (0)845 280 1725
Skype: tonvoon



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV