frontend: disable escaping of special HTML chars for BGPMap graph

xddxdd · Jul 2, 2024 · 0dd1c07 · 0dd1c07
1 parent f0f072c
commit 0dd1c07
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 3 deletions.
diff --git a/frontend/bgpmap_graph.go b/frontend/bgpmap_graph.go
@@ -1,6 +1,7 @@
 package main
 
 import (
+	"bytes"
 	"encoding/json"
 	"fmt"
 	"strings"
@@ -69,11 +70,15 @@ func (graph *RouteGraph) attrsToString(attrs RouteAttrs) string {
 }
 
 func (graph *RouteGraph) escape(s string) string {
-	result, err := json.Marshal(s)
+	buffer := &bytes.Buffer{}
+	encoder := json.NewEncoder(buffer)
+	encoder.SetEscapeHTML(false)
+	err := encoder.Encode(s)
+
 	if err != nil {
 		return err.Error()
 	} else {
-		return string(result)
+		return string(buffer.Bytes())
 	}
 }
 

diff --git a/frontend/bgpmap_test.go b/frontend/bgpmap_test.go
@@ -33,7 +33,7 @@ func TestBirdRouteToGraphvizXSS(t *testing.T) {
 		fakeResult,
 	}, fakeResult)
 
-	if strings.Contains(result, "<script>") {
+	if strings.Contains(result, fakeResult) {
 		t.Errorf("XSS injection succeeded: %s", result)
 	}
 }