From 072605dd98f26ec9c88a152598798a51ccc764bb Mon Sep 17 00:00:00 2001
From: Hao Chen <haoel@hotmail.com>
Date: Tue, 21 Feb 2023 11:58:38 +0800
Subject: [PATCH] fix XSS bug

---
 web/server.go | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/web/server.go b/web/server.go
index 1a2a168c..53f34764 100644
--- a/web/server.go
+++ b/web/server.go
@@ -21,6 +21,7 @@ package web
 import (
 	"encoding/json"
 	"fmt"
+	"html"
 	"net"
 	"net/http"
 	"strconv"
@@ -79,15 +80,18 @@ func getNum[T any](str string, _default T, convert func(string) (T, error)) T {
 	}
 	return n
 }
+func getStr(str string) string {
+	return strings.TrimSpace(html.EscapeString(str))
+}
 
 func getFilter(req *http.Request) (*report.SLAFilter, error) {
 	filter := &report.SLAFilter{}
 
-	filter.Name = strings.TrimSpace(req.URL.Query().Get("name"))
-	filter.Kind = strings.TrimSpace(req.URL.Query().Get("kind"))
-	filter.Endpoint = strings.TrimSpace(req.URL.Query().Get("ep"))
+	filter.Name = getStr(req.URL.Query().Get("name"))
+	filter.Kind = getStr(req.URL.Query().Get("kind"))
+	filter.Endpoint = getStr(req.URL.Query().Get("ep"))
 	filter.Status = getStatus(req.URL.Query().Get("status"))
-	filter.Message = strings.TrimSpace(req.URL.Query().Get("msg"))
+	filter.Message = getStr(req.URL.Query().Get("msg"))
 	filter.SLAGreater = getNum(req.URL.Query().Get("gte"), 0, toFloat)
 	filter.SLALess = getNum(req.URL.Query().Get("lte"), 100, toFloat)
 	filter.PageNum = getNum(req.URL.Query().Get("pg"), 1, toInt)