Skip to content
This repository has been archived by the owner. It is now read-only.

Escaped Strings in Quick Values improperly "Add to Search Query" #1484

Closed
NickMeves opened this issue Jun 13, 2015 · 3 comments
Closed

Escaped Strings in Quick Values improperly "Add to Search Query" #1484

NickMeves opened this issue Jun 13, 2015 · 3 comments
Assignees
Labels
Milestone

Comments

@NickMeves
Copy link

@NickMeves NickMeves commented Jun 13, 2015

Thanks for the quick fix on Issue #1455 -- alleviates alot of security concerns.

Related to that issue though:

Any values clicked on from Quick Values will have the HTML Escaped version in the search bar (< > in all their glory) which doesn't find the appropriate values in the prefix search context on the field.

@edmundoa
Copy link
Member

@edmundoa edmundoa commented Jun 15, 2015

Hi,

How did you manage to get < and > into the quick values? I tried to reproduce it last time, but in the end I fed one of those values by hand into the Javascript console. It would be great if you could share one of those messages (removing any sensitive information of course), so we can test it properly :)

@edmundoa edmundoa added this to the 1.1.3 milestone Jun 15, 2015
edmundoa added a commit that referenced this issue Jun 15, 2015
Quick values and sources are escaped to avoid interpreting any HTML code
on them. When clicking on the "add to search" query button, we should
unescape them to represent the actual message.

Fixes #1484
@edmundoa edmundoa closed this in 45cdf0c Jun 15, 2015
@NickMeves
Copy link
Author

@NickMeves NickMeves commented Jun 15, 2015

When testing I just did it the quick route and added a static field with HTML markup onto a random HTTP input on the fly.

I also overrided the source and replaced source with HTML markup to make sure the graph on the sources page was escaped too (it is :) )

In production we have email logs (message-ids in emails frequently are wrapped in < > ) and we have HTML links. Just sending those over via GELF TCP got the < > into the system for us.

@edmundoa
Copy link
Member

@edmundoa edmundoa commented Jun 16, 2015

Ah, I only tried sending messages to a raw input, probably that's the reason why I couldn't see it. Thank you for your feedback! :)

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants