x-pack/filebeat/input/http_endpoint: ensure all responses are HTML-es…

…caped (#39329)
elastic · May 5, 2024 · 56763aa · 56763aa
1 parent 13aed9f
commit 56763aa
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 1 deletion.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -257,6 +257,7 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff]
 - Add debugging breadcrumb to logs when writing request trace log. {pull}38636[38636]
 - added benchmark input {pull}37437[37437]
 - added benchmark input and discard output {pull}37437[37437]
+- Ensure all responses sent by HTTP Endpoint are HTML-escaped. {pull}39329[39329]
 
 *Auditbeat*
 

diff --git a/x-pack/filebeat/input/http_endpoint/input.go b/x-pack/filebeat/input/http_endpoint/input.go
@@ -5,10 +5,12 @@
 package http_endpoint
 
 import (
+	"bytes"
 	"context"
 	"crypto/tls"
 	"encoding/base32"
 	"encoding/binary"
+	"encoding/json"
 	"errors"
 	"fmt"
 	"net"
@@ -322,7 +324,7 @@ func newHandler(ctx context.Context, c config, prg *program, pub stateless.Publi
 		program:               prg,
 		messageField:          c.Prefix,
 		responseCode:          c.ResponseCode,
-		responseBody:          c.ResponseBody,
+		responseBody:          htmlEscape(c.ResponseBody),
 		includeHeaders:        canonicalizeHeaders(c.IncludeHeaders),
 		preserveOriginalEvent: c.PreserveOriginalEvent,
 		crc:                   newCRC(c.CRCProvider, c.CRCSecret),
@@ -350,6 +352,12 @@ func newHandler(ctx context.Context, c config, prg *program, pub stateless.Publi
 	return h
 }
 
+func htmlEscape(s string) string {
+	var buf bytes.Buffer
+	json.HTMLEscape(&buf, []byte(s))
+	return buf.String()
+}
+
 // newID returns an ID derived from the current time.
 func newID() string {
 	var data [8]byte