Merge pull request Netflix#1606 from atoulme/issue_1456

Escape user entered input to avoid HTML injection. This fixes Netflix#1456
bhatanil · Jun 14, 2017 · 1460419 · 1460419
2 parents 027578a + a938284
commit 1460419
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/hystrix-dashboard/src/main/webapp/index.html b/hystrix-dashboard/src/main/webapp/index.html
@@ -24,7 +24,7 @@
 
 				streams.push(s);
 				$('#streams').html('<table>' + _.reduce(streams, function(html, s) {
-                            return html + '<tr><td>' + s.name + '</td><td>' + s.stream + '</td> <td><a href="#" onclick="removeStream(this);">Remove</a></td> </tr>';
+                            return html + '<tr><td>' + _.escape(s.name) + '</td><td>' + _.escape(s.stream) + '</td> <td><a href="#" onclick="removeStream(this);">Remove</a></td> </tr>';
 				}, '') + '</table>');
 
 				$('#message').html("");