Consistently use html/template instead of fmt.Sprintf in Milo console |
|||
Issue descriptionFrom samueltan@: (Fix) ad-hoc generation of HTML via the renderHTML methods in //infra/go/src/go.chromium.org/luci/milo/api/resp/console.go. There are a bunch of unvalidated URLs (see [1] and [2]) being interpolated into "href" attributes using format strings. It's hard for me to reason about where these URLs are coming from, what values they can possible assume. It would be much better to produce this entire HTML snippet using another html/template Template. [1] https://cs.chromium.org/chromium/infra/go/src/go.chromium.org/luci/milo/api/resp/console.go?l=154&rcl=7ad046489c578e339b873886d6973abbe43cc137 [2] https://cs.chromium.org/chromium/infra/go/src/go.chromium.org/luci/milo/api/resp/console.go?l=268&rcl=7ad046489c578e339b873886d6973abbe43cc137
,
Sep 24
This issue has been Available for over a year. If it's no longer important or seems unlikely to be fixed, please consider closing it out. If it is important, please re-triage the issue. Sorry for the inconvenience if the bug really should have been left as Available. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 24
|
|||
►
Sign in to add a comment |
|||
Comment 1 by s...@google.com
, Sep 23 2017