[Pkg-nagios-devel] How to handle plugins with HTML output
seanius at debian.org
Thu May 22 12:48:58 UTC 2008
On Sunday 04 May 2008 09:22:46 am Marc Haber wrote:
> I would like to solicit your opinion about #474967, where the bug
> submitter complains that Nagios no longer passes HTML output of a
> plugin verbatim to the web interface.
> I am inclined to tag this bug "wontfix", as allowing HTML output to be
> handed through from a plugin to the web interface might expose the web
> interface to XSS and/or other attacks.
yes, in fact see #416814, where the opposite bug was filed against nagios (for
versions << 2.11 when the sanitization started).
> But alas, I don't know enough about web attacks to be an appropriate
> judge for this.
there isn't really an easy and safe way to allow it. i suppose a feature
request upstream could be sent to let the local admin disable the escaping
for "trusted" sites, or to somehow cram it through libtidy, or perhaps just
notice urls in the escaped output and arbitrarily rewrite them as links.
but if there has to be a hard-coded behaviour i think the new behaviour is the
safer of the two.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://lists.alioth.debian.org/pipermail/pkg-nagios-devel/attachments/20080522/a8a7032b/attachment.pgp
More information about the Pkg-nagios-devel