rms/VictoriaMetrics
1
0
Fork 0
mirror of https://github.com/VictoriaMetrics/VictoriaMetrics.git synced 2026-05-17 08:36:55 +03:00
Code Issues Packages Projects Releases Wiki Activity

lib/httpserver: escape the error string before sending it in the response to the client

Browse Source 
See https://github.com/VictoriaMetrics/VictoriaMetrics/security/code-scanning/353
This commit is contained in:
Aliaksandr Valialkin
2026-02-18 20:39:49 +01:00
parent 53514febdc
commit 0b8205ef46
1 changed files with 6 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
lib/httpserver/httpserver.go
View File

@@ -7,6 +7,7 @@ import (
"errors"
"flag"
"fmt"
"html"
"io"
"log"
"net"
@@ -670,7 +671,11 @@ func Errorf(w http.ResponseWriter, r *http.Request, format string, args ...any)
if rwa, ok := w.(*responseWriterWithAbort); ok && rwa.sentHeaders {
// HTTP status code has been already sent to client, so it cannot be sent again.
// Just write errStr to the response and abort the client connection, so the client could notice the error.
fmt.Fprintf(w, "\n%s\n", errStr)
//
// HTML-escape the errStr in order to protect from possible XSS, since the errStr may contain user input.
errStrEscaped := html.EscapeString(errStr)
fmt.Fprintf(w, "\n%s\n", errStrEscaped)
rwa.abort()
return
}