Skip to content

/prometheus

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

targets.html: predefined escaper "html" disallowed in template (with go1.9rc2) #3046

Closed
knweiss opened this Issue Aug 9, 2017 · 6 comments

Comments

Assignees
No one assigned
Labels
component/ui
Projects
None yet
Milestone
No milestone
2 participants
@knweiss @brian-brazil
@knweiss
Copy link
Contributor

knweiss commented Aug 9, 2017

What did you do?

I've tested prometheus 1.7.1 compiled with go1.9rc2.

What did you expect to see?

I wanted to open the usual "Targets" page in the web ui.

What did you see instead? Under which circumstances?

The "Targets" page now always shows the following error:

error executing template targets.html: html/template:targets.html:99:207: predefined escaper "html" disallowed in template

Environment

CentOS 7.3, x86-64, go1.9rc2 or go1.9rc1

  • System information:
$ uname -sr
Linux 3.10.0-514.26.2.el7.x86_64
  • Prometheus version:
$ ./prometheus --version
prometheus, version 1.7.1 (branch: build-v1.7.1, revision: 3afb3fffa3a29c3de865e1172fb740442e9d0133)
  build user:       knweiss@XXX
  build date:       20170809-08:13:55
  go version:       go1.9rc2
  • Info

This error seems to be related to a html/template fix in go1.9. Quoting the Go 1.9 Release Notes:

html/template:
The package now reports an error if a predefined escaper (one of "html", "urlquery" and "js") is found in a pipeline and does not match what the auto-escaper would have decided on its own. This avoids certain security or correctness issues. Now use of one of these escapers is always either a no-op or an error. (The no-op case eases migration from text/template.)

  • Hotfix

I was able to get it running again with this little hotfix (followed my make assets to rebuild web/ui/bindata.go):

$ git diff web/ui/templates/targets.html
diff --git a/web/ui/templates/targets.html b/web/ui/templates/targets.html
index 03fb700b..01abd952 100644
--- a/web/ui/templates/targets.html
+++ b/web/ui/templates/targets.html
@@ -32,7 +32,7 @@
                 </span>
               </td>
               <td>
-                <span class="cursor-pointer" data-toggle="tooltip" title="" data-html=true data-original-title="<b>Before relabeling:</b>{{range $k, $v := .DiscoveredLabels}}<br>{{$k | html | html}}=&quot;{{$v | html | html}}&quot;{{end}}">
+                <span class="cursor-pointer" data-toggle="tooltip" title="" data-html=true data-original-title="<b>Before relabeling:</b>{{range $k, $v := .DiscoveredLabels}}<br>{{$k}}=&quot;{{$v}}&quot;{{end}}">
                   {{$labels := stripLabels .Labels "job"}}
                   {{range $label, $value := $labels}}
                     <span class="label label-primary">{{$label}}="{{$value}}"</span>

However, I'm not familiar with the templating engine and someone should please determine the correct fix.

(Also, I haven't tested this hotfix with go1.8.3 yet!)

@brian-brazil brian-brazil added the component/ui label Aug 9, 2017

@brian-brazil

This comment has been minimized.

Sign in to view
Copy link
Member

brian-brazil commented Aug 9, 2017

I'm not sure the proposed fix is correct. Can you confirm it continues to correctly escape single and double quotes?
@knweiss

This comment has been minimized.

Sign in to view
Copy link
Contributor Author

knweiss commented Aug 9, 2017
edited

As I've mentioned: This is a local hotfix to get it running and not a proposed correct fix. The tooltips look fine though.

I'll try to create an escape test tomorrow. (I'm a little bit in a hurry right now.)
@knweiss

This comment has been minimized.

Sign in to view
Copy link
Contributor Author

knweiss commented Aug 10, 2017

@brian-brazil Okay, I've added these two extra labels to a server:

    labels:
       escapetest1: 'aa"bbÖccÄdd'
       escapetest2: "<<<'''>>>"

With the hotfix the labels are rendered correctly in the browser - both in the targets table and in the tooltip. The html page source looks like this:

              <span class="cursor-pointer" data-toggle="tooltip" title="" data-html=true data-original-title="<b>Before relabeling:</b><br>__address__=&quot;XXX.localdomain:2379&quot;<br>__metrics_path__=&quot;/metrics&quot;<br>__scheme__=&quot;http&quot;<br>escapetest1=&quot;aa&#34;bbÖccÄdd&quot;<br>escapetest2=&quot;&lt;&lt;&lt;&#39;&#39;&#39;&gt;&gt;&gt;&quot;<br>job=&quot;etcd&quot;<br>nodetype=&quot;server&quot;">
                  
                  
                    <span class="label label-primary">escapetest1="aa&#34;bbÖccÄdd"</span>
                  
                    <span class="label label-primary">escapetest2="&lt;&lt;&lt;&#39;&#39;&#39;&gt;&gt;&gt;"</span>

LGTM.
@brian-brazil

This comment has been minimized.

Sign in to view
Copy link
Member

brian-brazil commented Aug 10, 2017

That looks fine, can you send a PR?
@knweiss

This comment has been minimized.

Sign in to view
Copy link
Contributor Author

knweiss commented Aug 10, 2017

Status update: I've now also tested the hotfix (on the v1.7.1 tag!) with go1.8.3 and this also works. (I did not test any older go version though.)

I'll test the master branch next (where targets.html changed in the meantime) and try to prepare a PR.

@knweiss knweiss referenced this issue Aug 10, 2017

Merged

Fix 'predefined escaper "html" disallowed in template' (#3046) #3050

knweiss added a commit to knweiss/prometheus that referenced this issue Aug 11, 2017

@knweiss
Fix 'predefined escaper "html" disallowed in template' in `/targets` (p… 
…rometheus#3046)

Issue prometheus#3046 is triggered by html/template changes in go1.9.

See https://tip.golang.org/pkg/html/template. Quote:

//   To ease migration to Go 1.9 and beyond, "html" and "urlquery" will
//   continue to be allowed as the last command in a pipeline. However, if the
//   pipeline occurs in an unquoted attribute value context, "html" is
//   disallowed. Avoid using "html" and "urlquery" entirely in new templates.

The commit also includes a trivial whitespace fix.
79f0bf0

juliusv added a commit that referenced this issue Aug 11, 2017

@knweiss @juliusv
Fix 'predefined escaper "html" disallowed in template' in `/targets` (#… 
…3046) (#3050)

Issue #3046 is triggered by html/template changes in go1.9.

See https://tip.golang.org/pkg/html/template. Quote:

//   To ease migration to Go 1.9 and beyond, "html" and "urlquery" will
//   continue to be allowed as the last command in a pipeline. However, if the
//   pipeline occurs in an unquoted attribute value context, "html" is
//   disallowed. Avoid using "html" and "urlquery" entirely in new templates.

The commit also includes a trivial whitespace fix.
Loading status checks…
5f5d778

@brian-brazil brian-brazil closed this Aug 21, 2017

@lock

This comment has been minimized.

Sign in to view
Copy link

lock bot commented Mar 23, 2019

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@lock lock bot locked and limited conversation to collaborators Mar 23, 2019

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
You can’t perform that action at this time.