Fixes an XSS issue with unescaped node names. (#3578)
* Fixes an XSS issue with node names in the tomography graph. * Updates built-in static web assets. * Updates the change log.
This commit is contained in:
parent
6f31af82d6
commit
39f2359804
|
@ -1,5 +1,9 @@
|
|||
## 1.0.0 (UNRELEASED)
|
||||
|
||||
SECURITY:
|
||||
|
||||
* Fixed an XSS issue with Consul's built-in web UI where node names were not being properly escaped. [[GH-3578](https://github.com/hashicorp/consul/issues/3578)]
|
||||
|
||||
BREAKING CHANGES:
|
||||
|
||||
* **Raft Protocol Now Defaults to 3:** The [`-raft-protocol`](https://www.consul.io/docs/agent/options.html#_raft_protocol) default has been changed from 2 to 3, enabling all [Autopilot](https://www.consul.io/docs/guides/autopilot.html) features by default. Version 3 requires Consul running 0.8.0 or newer on all servers in order to work, so if you are upgrading with older servers in a cluster then you will need to set this back to 2 in order to upgrade. See [Raft Protocol Version Compatibility](https://www.consul.io/docs/upgrade-specific.html#raft-protocol-version-compatibility) for more details. Also the format of `peers.json` used for outage recovery is different when running with the lastest Raft protocol. See [Manual Recovery Using peers.json](https://www.consul.io/docs/guides/outage.html#manual-recovery-using-peers-json) for a description of the required format. [[GH-3477](https://github.com/hashicorp/consul/issues/3477)]
|
||||
|
|
File diff suppressed because one or more lines are too long
|
@ -105,7 +105,7 @@ function tomographyMouseOver(el) {
|
|||
if (segment !== "") {
|
||||
buf += ' (Segment: ' + segment + ')';
|
||||
}
|
||||
document.getElementById('tomography-node-info').innerHTML = buf;
|
||||
document.getElementById('tomography-node-info').textContent = buf;
|
||||
|
||||
}
|
||||
|
||||
|
@ -151,7 +151,7 @@ Ember.Handlebars.helper('tomographyGraph', function(tomography, size) {
|
|||
}
|
||||
distances.forEach(function (d, i) {
|
||||
buf += ' <line transform="rotate(' + (i * 360 / n) + ')" y2="' + (-insetSize * (d.distance / max)) + '" ' +
|
||||
'data-node="' + d.node + '" data-distance="' + d.distance + '" data-segment="' + d.segment + '" onmouseover="tomographyMouseOver(this);"/>';
|
||||
'data-node="' + Handlebars.Utils.escapeExpression(d.node) + '" data-distance="' + d.distance + '" data-segment="' + Handlebars.Utils.escapeExpression(d.segment) + '" onmouseover="tomographyMouseOver(this);"/>';
|
||||
});
|
||||
buf += '' +
|
||||
' </g>' +
|
||||
|
|
Loading…
Reference in New Issue