Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fixes an XSS issue with unescaped node names. #3578

Merged
merged 3 commits into from
Oct 16, 2017
Merged

Fixes an XSS issue with unescaped node names. #3578

merged 3 commits into from
Oct 16, 2017

Conversation

slackpad
Copy link
Contributor

@slackpad slackpad commented Oct 16, 2017

This fixes an XSS issue with unescaped node names in the coordinate display. We also escape the segment name for good measure, though the format of those is tightly controlled by Consul, so those were't vulnerable due to back end validation.

@slackpad slackpad merged commit f25c66d into master Oct 16, 2017
@slackpad slackpad deleted the node-xss branch October 16, 2017 16:12
michaelw pushed a commit to michaelw/consul that referenced this pull request Jan 11, 2018
Version 1.0.0

* tag 'v1.0.0': (455 commits)
  Release v1.0.0
  Puts the tree in 1.0 final release mode.
  Fixes an XSS issue with unescaped node names. (hashicorp#3578)
  Adds a note about the Raft protocol not being the same as the Consul protocol.
  Adds a 1.0 section to the upgrade guide and cleans up the change log.
  Update sentinel.html.markdown.erb
  Update dns forwarding documentation (hashicorp#3574)
  Adds a brief wait and poll period to update check status after a timeout. (hashicorp#3573)
  Cleans up some drift between the OSS and Enterprise trees.
  Clarify the docs around script check timeout behavior
  Updates the change log.
  Kill check processes after the timeout is reached (hashicorp#3567)
  Updates the change log.
  retry locks on network errors (hashicorp#3553)
  Fix example code formatting in godoc
  config: remove redundant code
  config: fix check for segment.port <= 0 and add test
  Adds check to make sure port is given so we avoid a nil bind address.
  Removes obsolete segment stub.
  agent: add option to discard health output (hashicorp#3562)
  ...
johncowen pushed a commit that referenced this pull request May 4, 2018
* Fixes an XSS issue with node names in the tomography graph.

* Updates built-in static web assets.

* Updates the change log.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant