From 439b353f9344f1a5a9e521841656a0272014c283 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Juraci=20Paix=C3=A3o=20Kr=C3=B6hling?= <juraci@kroehling.de>
Date: Fri, 26 Mar 2021 10:25:06 +0100
Subject: [PATCH] Escape user input used in output
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Juraci Paixão Kröhling <juraci@kroehling.de>
---
 receiver/jaegerreceiver/trace_receiver.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/receiver/jaegerreceiver/trace_receiver.go b/receiver/jaegerreceiver/trace_receiver.go
index 783b54a4dec..2dbae4e19ac 100644
--- a/receiver/jaegerreceiver/trace_receiver.go
+++ b/receiver/jaegerreceiver/trace_receiver.go
@@ -17,6 +17,7 @@ package jaegerreceiver
 import (
 	"context"
 	"fmt"
+	"html"
 	"io/ioutil"
 	"mime"
 	"net"
@@ -441,7 +442,7 @@ func (jr *jReceiver) HandleThriftHTTPBatch(w http.ResponseWriter, r *http.Reques
 
 	batch, hErr := jr.decodeThriftHTTPBody(r)
 	if hErr != nil {
-		http.Error(w, hErr.msg, hErr.statusCode)
+		http.Error(w, html.EscapeString(hErr.msg), hErr.statusCode)
 		obsreport.EndTraceDataReceiveOp(ctx, thriftFormat, 0, hErr)
 		return
 	}