uchiwa icon indicating copy to clipboard operation
uchiwa copied to clipboard

Published 20 hours ago verified publisher icon sensu

Dashboard does not display complex URL in custom_client attribute correctly

Open GhostLyrics opened this issue 8 years ago • 4 comments

I supply:

https://REDACTED/#/discover?_g=()&_a=(columns:!(_source),index:%5Blogstash-%5DYYYY.MM.DD,interval:auto,query:(query_string:(analyze_wildcard:!t,query:'host:sensu-client')),sort:!('@timestamp',desc))

and get:

https://REDACTED/#/discover?_g=()&_a=(columns:!(_source),index:%5Blogstash-%5DYYYY.MM.DD,interval:auto,query:(query_string:(analyze_wildcard:!t,query:'host:sensu-client')),sort:!('@timestamp',desc

(for easier viewing):

INPUT: https://…('@timestamp',desc))
OUTPUT: https://…('@timestamp',desc

GhostLyrics avatar May 08 '16 19:05 GhostLyrics

Upon further investigation it seems that a closing bracket at the end of the URL is always omitted.

GhostLyrics avatar May 08 '16 19:05 GhostLyrics

Here's a screenshot to better illustrate what the exact problem is, because I seemed not to have mentioned that the URL is indeed displayed, just not correctly. The link is wrong because the closing bracket is omitted; it's also omitted from the href element.

screen shot 2016-05-08 at 21 44 59

GhostLyrics avatar May 08 '16 19:05 GhostLyrics

I have a similar (same?) problem here. I tried to add a Description attribute to one of the checks -- to test, whether we can use the feature to add instructions to the Operations team on what to do, when a check is alerting. Plain text works, but trying to embed a links:

"SSLcerts": {
        "command":      "check-ssl-certs.rb /etc/pki/tls",
        "interval":     86423,
        "Description":  "Find all <A href=\"https://www.digicert.com/ssl-certificate.htm\">SSL-certificates</A> -- individual files and bundles -- under /etc/pki/tls and check their expiration.",
        "subscribers":  [ "unix" ]
},

does not look nice: uchiwa-bad-html

Maybe, it is a problem with the erroneously deleted closing quote. Or, maybe, Uchiwa ought to only perform the escaping/sanitizing to the standard fields, while allowing all others to go through unmodified?

To future-proof things -- what if Sensu adds a new standard field later? -- an agreement can be made, whereby any field-name beginning with a Capital letter is to be considered custom allowing users to embed complex HTML (with divs, tables, and iframes).

UnitedMarsupials-zz avatar May 25 '16 16:05 UnitedMarsupials-zz

This seems related to the linky filter in the ngSanitize module of AngularJS. We'll have to see if it's fixed in the latest Angular 1.5.x release.

palourde avatar Jun 24 '16 21:06 palourde