Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refactor span formatter function to use a html template to generate autoescaped HTML #5280

Closed
wants to merge 4 commits into from
Closed

Refactor span formatter function to use a html template to generate autoescaped HTML #5280

wants to merge 4 commits into from

Conversation

AkhigbeEromo
Copy link
Contributor

@AkhigbeEromo AkhigbeEromo commented Mar 15, 2024
edited
Loading

@AkhigbeEromo AkhigbeEromo requested a review from dashpole as a code owner March 15, 2024 15:07
@AkhigbeEromo AkhigbeEromo requested a review from a team March 15, 2024 15:07
@codecov Codecov
Copy link

codecov bot commented Mar 15, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 0% with 9 lines in your changes are missing coverage. Please review.

Project coverage is 61.2%. Comparing base (f3ba8c2) to head (2f960f3).
Report is 1 commits behind head on main.

Additional details and impacted files

Impacted file tree graph

@@           Coverage Diff           @@
##            main   #5280     +/-   ##
=======================================
- Coverage   61.2%   61.2%   -0.1%     
=======================================
  Files        185     185             
  Lines      11207   11214      +7     
=======================================
  Hits        6865    6865             
- Misses      4142    4149      +7     
  Partials     200     200
Files Coverage Δ
zpages/templates.go 17.2% <0.0%> (-5.5%) ⬇️

MrAlias
MrAlias reviewed Mar 17, 2024
View reviewed changes
CHANGELOG.md Outdated
@@ -11,6 +11,8 @@ This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.htm
### Added

- Add the new `go.opentelemetry.io/contrib/instrgen` package to provide auto-generated source code instrumentation. (#3068, #3108)
- Add a new package `go.opentelemetry.io/contrib/zpages/internal` to enable the use of internal.Templates within the parseTemplate function.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This needs to be removed. It is not included in these changes.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Noted

CHANGELOG.md Outdated
@@ -11,6 +11,8 @@ This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.htm
### Added

- Add the new `go.opentelemetry.io/contrib/instrgen` package to provide auto-generated source code instrumentation. (#3068, #3108)
- Add a new package `go.opentelemetry.io/contrib/zpages/internal` to enable the use of internal.Templates within the parseTemplate function.
- Refactored the spanRowFormatter function to utilize HTML templates for auto-escaping HTML, ensuring protection against Cross-site Scripting (XSS) vulnerabilities. (#4451)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please rewrite this in terms that an end-user will understand and move to the "### Fixed" section.

Reference: https://keepachangelog.com/en/1.1.0/

zpages/templates.go
tpl = fmt.Sprintf(`trace_id: <b style="color:%s">%s</b> span_id: %s `, col, template.HTMLEscapeString(r.SpanContext.TraceID().String()), template.HTMLEscapeString(r.SpanContext.SpanID().String()))
}

t := template.Must(template.New("spanRow").Parse(tpl))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will panic.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what would you advise i do?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Really grateful for your corrections @MrAlias

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

would it be better if i just
return template.HTML(fmt.Sprintf(tpl))

@MrAlias
Copy link
Contributor

MrAlias commented Mar 17, 2024

Please address lint failures.

@AkhigbeEromo
Copy link
Contributor Author

Okay, will work on it@MrAlias

@AkhigbeEromo AkhigbeEromo requested a review from MrAlias March 25, 2024 16:56
@dmathieu
Copy link
Member

Closing, as this has been fixed in #5327

@dmathieu dmathieu closed this Mar 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dashpole dashpole Awaiting requested review from dashpole dashpole is a code owner

@MrAlias MrAlias Awaiting requested review from MrAlias

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@AkhigbeEromo @MrAlias @dmathieu