From a938284799b988a2e50c1a0c8944aa094cc7e143 Mon Sep 17 00:00:00 2001
From: Antoine Toulme <antoine@lunar-ocean.com>
Date: Wed, 7 Jun 2017 21:24:53 -0700
Subject: [PATCH] Escape user entered input to avoid HTML injection. This fixes
 #1456

---
 hystrix-dashboard/src/main/webapp/index.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hystrix-dashboard/src/main/webapp/index.html b/hystrix-dashboard/src/main/webapp/index.html
index 2fbc86395..a73f00a92 100644
--- a/hystrix-dashboard/src/main/webapp/index.html
+++ b/hystrix-dashboard/src/main/webapp/index.html
@@ -24,7 +24,7 @@
 
 				streams.push(s);
 				$('#streams').html('<table>' + _.reduce(streams, function(html, s) {
-                            return html + '<tr><td>' + s.name + '</td><td>' + s.stream + '</td> <td><a href="#" onclick="removeStream(this);">Remove</a></td> </tr>';
+                            return html + '<tr><td>' + _.escape(s.name) + '</td><td>' + _.escape(s.stream) + '</td> <td><a href="#" onclick="removeStream(this);">Remove</a></td> </tr>';
 				}, '') + '</table>');
 
 				$('#message').html("");

' + s.name + '	' + s.stream + '	Remove
' + _.escape(s.name) + '	' + _.escape(s.stream) + '	Remove