New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Escaped Strings in Quick Values improperly "Add to Search Query" #1484

Closed
NickMeves opened this Issue Jun 13, 2015 · 3 comments

Comments

Projects
None yet
3 participants
@NickMeves

NickMeves commented Jun 13, 2015

Thanks for the quick fix on Issue #1455 -- alleviates alot of security concerns.

Related to that issue though:

Any values clicked on from Quick Values will have the HTML Escaped version in the search bar (< > in all their glory) which doesn't find the appropriate values in the prefix search context on the field.

@edmundoa

This comment has been minimized.

Member

edmundoa commented Jun 15, 2015

Hi,

How did you manage to get < and > into the quick values? I tried to reproduce it last time, but in the end I fed one of those values by hand into the Javascript console. It would be great if you could share one of those messages (removing any sensitive information of course), so we can test it properly :)

@edmundoa edmundoa added this to the 1.1.3 milestone Jun 15, 2015

edmundoa added a commit that referenced this issue Jun 15, 2015

Unescape terms added to search bar
Quick values and sources are escaped to avoid interpreting any HTML code
on them. When clicking on the "add to search" query button, we should
unescape them to represent the actual message.

Fixes #1484

@edmundoa edmundoa closed this in 45cdf0c Jun 15, 2015

@NickMeves

This comment has been minimized.

NickMeves commented Jun 15, 2015

When testing I just did it the quick route and added a static field with HTML markup onto a random HTTP input on the fly.

I also overrided the source and replaced source with HTML markup to make sure the graph on the sources page was escaped too (it is :) )

In production we have email logs (message-ids in emails frequently are wrapped in < > ) and we have HTML links. Just sending those over via GELF TCP got the < > into the system for us.

@edmundoa

This comment has been minimized.

Member

edmundoa commented Jun 16, 2015

Ah, I only tried sending messages to a raw input, probably that's the reason why I couldn't see it. Thank you for your feedback! :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment