Fix LWTrace leaking HTTP request string to HTML page (ydb-platform#7011…

…) (ydb-platform#7014)
the-ancient-1 · Jul 23, 2024 · 0e8c9d1 · 0e8c9d1
1 parent bf5f3d7
commit 0e8c9d1
Showing 1 changed file with 5 additions and 5 deletions.
diff --git a/library/cpp/lwtrace/mon/mon_lwtrace.cpp b/library/cpp/lwtrace/mon/mon_lwtrace.cpp
@@ -301,7 +301,7 @@ struct TLogQuery {
             }
         } catch (...) {
             ythrow yexception()
-                << CurrentExceptionMessage()
+                << EncodeHtmlPcdata(CurrentExceptionMessage())
                 << " while parsing track log query: "
                 << Text;
         }
@@ -1853,7 +1853,7 @@ class TTracesHtmlPrinter {
         try {
             Os << src->GetStartTime().ToStringUpToSeconds();
         } catch (...) {
-            Os << "error: " << CurrentExceptionMessage();
+            Os << "error: " << EncodeHtmlPcdata(CurrentExceptionMessage());
         }
         Os << "</td>"
            << "<td><div class=\"dropdown\">"
@@ -3821,17 +3821,17 @@ class TLWTraceMonPage : public NMonitoring::IMonPage {
             }
         } catch (TPageGenBase& gen) {
             out.Clear();
-            out << gen.what();
+            out << EncodeHtmlPcdata(gen.what());
         } catch (...) {
             out.Clear();
             if (request.GetParams().Get("error") == "text") {
                 // Text error reply is helpful for ajax requests
                 out << NMonitoring::HTTPOKTEXT;
-                out << CurrentExceptionMessage();
+                out << EncodeHtmlPcdata(CurrentExceptionMessage());
             } else {
                 WWW_HTML(out) {
                     out << "<h2>Error</h2><pre>"
-                        << CurrentExceptionMessage()
+                        << EncodeHtmlPcdata(CurrentExceptionMessage())
                         << Endl;
                 }
             }