Escape user entered input to avoid HTML injection. This fixes Netflix…

…#1456
nmcl · Jun 8, 2017 · a938284 · a938284
1 parent ea14be2
commit a938284
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/hystrix-dashboard/src/main/webapp/index.html b/hystrix-dashboard/src/main/webapp/index.html
@@ -24,7 +24,7 @@
 
 				streams.push(s);
 				$('#streams').html('<table>' + _.reduce(streams, function(html, s) {
-                            return html + '<tr><td>' + s.name + '</td><td>' + s.stream + '</td> <td><a href="#" onclick="removeStream(this);">Remove</a></td> </tr>';
+                            return html + '<tr><td>' + _.escape(s.name) + '</td><td>' + _.escape(s.stream) + '</td> <td><a href="#" onclick="removeStream(this);">Remove</a></td> </tr>';
 				}, '') + '</table>');
 
 				$('#message').html("");