Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add notification template without escaping #18171

Merged
merged 6 commits into from Mar 7, 2024
Merged

Add notification template without escaping #18171

merged 6 commits into from Mar 7, 2024

Conversation

patrickmann
Copy link
Contributor

@patrickmann patrickmann commented Feb 6, 2024
edited

Resolves Graylog2/graylog-plugin-enterprise#6525

Provides a notification template that does not escape parameter strings. This is useful if the message is supposed to contain HTML characters, e.g. "Index <i1> is unavailable".

How Has This Been Tested?

Unit test and hand-crafted notifications

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Refactoring (non-breaking change)
  • Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

  • My code follows the code style of this project.
  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.
  • I have read the CONTRIBUTING document.
  • I have added tests to cover my changes.

@patrickmann patrickmann marked this pull request as ready for review February 6, 2024 07:54
mpfz0r
mpfz0r requested changes Feb 21, 2024
View reviewed changes
Copy link
Member

@mpfz0r mpfz0r left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need to escape the content of the notifications,
as it is untrusted.

I've created an output with an html injection name to demonstrate this:

image

@patrickmann
Copy link
Contributor Author

So the requirement is:

  • titles are not escaped and not interpreted as HTML
  • descriptions are escaped and interpreted as HTML
    We can use Freemarker directives to assign plaintext format to the titles; and leave descriptions as is (HTLM output format).

@mpfz0r
Copy link
Member

mpfz0r commented Feb 22, 2024

So the requirement is:

* titles are not escaped and not interpreted as HTML

I wouldn't make the distinction between titles and descriptions.
Titles just shouldn't be escaped twice . I suggest we just treat them as raw html like we do for the description.
See my comment and patch on the other PR.

* descriptions are escaped and interpreted as HTML
  We can use Freemarker directives to assign plaintext format to the titles; and leave descriptions as is (HTLM output format).

@patrickmann
Copy link
Contributor Author

I went with your initial suggestion of modifying rendering of titles in the FE. It achieves the desired outcome and doesn't require any changes to templates.

@patrickmann patrickmann requested a review from mpfz0r March 5, 2024 11:19
@mpfz0r mpfz0r merged commit 6c7d2c4 into master Mar 7, 2024
6 checks passed
@mpfz0r mpfz0r deleted the notificationEscaping branch March 7, 2024 19:11
patrickmann
patrickmann commented Mar 21, 2024
View reviewed changes
Copy link
Contributor Author

@patrickmann patrickmann left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, works as expected.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mpfz0r mpfz0r mpfz0r approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@patrickmann @mpfz0r