[Pkg-nagios-devel] Bug#474967: URL in plugins output converted to html entity

Marc Haber mh+debian-packages at zugschlus.de
Thu May 22 12:36:55 UTC 2008

tags #474967 wontfix

On Sun, Apr 27, 2008 at 03:59:24PM +0200, Marc Haber wrote:
> I guess that this was never intended to work since it might offer a
> possibility to inject malicous javascript into nagios' web frontend.

After consulting with other members of the Debian Nagios team, I have
tagged this bug wontfix.

Allowing HTML output from plugins opens Nagios up for Cross-site
scripting attacks (see #416814), and upstream has released version
2.11 to prevent these attacks. This is the exact opposite bug than

There isn't really a safe way to allow HTML from plugins, so I think
that Nagios' current behavior is the safe default.

I guess that it would be a good idea to send a feature request
upstream to let the local admin disable the HTML escaping for
"trusted" sites, or to somehow cram it through libtidy, or perhaps
just notice URLs in the escaped output and arbitrarily rewrite them as
links. (this last paragraph was snarfed from sean finney's mail at


Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835

More information about the Pkg-nagios-devel mailing list