From 2b8fc062a8dbfdf18005a0d5c4dde10a21c54192 Mon Sep 17 00:00:00 2001 From: Julius Volz Date: Sun, 5 Aug 2018 14:01:51 +0200 Subject: [PATCH] rules: HTML-escape rule YAML marshal errors (#4464) This was pointed out by `gosec`. Signed-off-by: Julius Volz --- rules/alerting.go | 2 +- rules/recording.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/alerting.go b/rules/alerting.go index a702126ff..a9ca3b41c 100644 --- a/rules/alerting.go +++ b/rules/alerting.go @@ -433,7 +433,7 @@ func (r *AlertingRule) HTMLSnippet(pathPrefix string) html_template.HTML { byt, err := yaml.Marshal(ar) if err != nil { - return html_template.HTML(fmt.Sprintf("error marshalling alerting rule: %q", err.Error())) + return html_template.HTML(fmt.Sprintf("error marshalling alerting rule: %q", html_template.HTMLEscapeString(err.Error()))) } return html_template.HTML(byt) } diff --git a/rules/recording.go b/rules/recording.go index 69fdfa03e..d7167ba92 100644 --- a/rules/recording.go +++ b/rules/recording.go @@ -135,7 +135,7 @@ func (rule *RecordingRule) HTMLSnippet(pathPrefix string) template.HTML { byt, err := yaml.Marshal(r) if err != nil { - return template.HTML(fmt.Sprintf("error marshalling recording rule: %q", err.Error())) + return template.HTML(fmt.Sprintf("error marshalling recording rule: %q", template.HTMLEscapeString(err.Error()))) } return template.HTML(byt)