frontend: disable escaping of special HTML chars for BGPMap graph

2025-02-16 10:34:27 +01:00 · 2024-07-01 21:16:43 -07:00 · 2024-07-01 21:16:43 -07:00 · 0dd1c07b66
commit 0dd1c07b66
parent f0f072c4a6
2 changed files with 8 additions and 3 deletions
--- a/frontend/bgpmap_graph.go
+++ b/frontend/bgpmap_graph.go
@ -1,6 +1,7 @@
 package main

 import (
+	"bytes"
 	"encoding/json"
 	"fmt"
 	"strings"
@ -69,11 +70,15 @@ func (graph *RouteGraph) attrsToString(attrs RouteAttrs) string {
 }

 func (graph *RouteGraph) escape(s string) string {
-	result, err := json.Marshal(s)
+	buffer := &bytes.Buffer{}
+	encoder := json.NewEncoder(buffer)
+	encoder.SetEscapeHTML(false)
+	err := encoder.Encode(s)
+
 	if err != nil {
 		return err.Error()
 	} else {
-		return string(result)
+		return string(buffer.Bytes())
 	}
 }

--- a/frontend/bgpmap_test.go
+++ b/frontend/bgpmap_test.go
@ -33,7 +33,7 @@ func TestBirdRouteToGraphvizXSS(t *testing.T) {
 		fakeResult,
 	}, fakeResult)

-	if strings.Contains(result, "<script>") {
+	if strings.Contains(result, fakeResult) {
 		t.Errorf("XSS injection succeeded: %s", result)
 	}
 }