From 7199931744db54650778ae093928bb5400de9def Mon Sep 17 00:00:00 2001
From: Tor Brede Vekterli <vekterli@yahooinc.com>
Date: Tue, 30 Aug 2022 14:18:09 +0000
Subject: Escape relevant fields when rendering internal filestore status pages

---
 .../storage/persistence/filestorage/filestorhandlerimpl.cpp  | 12 ++++++++----
 .../storage/persistence/filestorage/filestormanager.cpp      | 10 ++++++----
 2 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/storage/src/vespa/storage/persistence/filestorage/filestorhandlerimpl.cpp b/storage/src/vespa/storage/persistence/filestorage/filestorhandlerimpl.cpp
index 1c818233746..1c245d9c38e 100644
--- a/storage/src/vespa/storage/persistence/filestorage/filestorhandlerimpl.cpp
+++ b/storage/src/vespa/storage/persistence/filestorage/filestorhandlerimpl.cpp
@@ -14,12 +14,15 @@
 #include <vespa/storageapi/message/stat.h>
 #include <vespa/vespalib/stllike/hash_map.hpp>
 #include <vespa/vespalib/util/exceptions.h>
+#include <vespa/vespalib/util/string_escape.h>
 #include <xxhash.h>
 
 #include <vespa/log/log.h>
 LOG_SETUP(".persistence.filestor.handler.impl");
 
 using document::BucketSpace;
+using vespalib::xml_attribute_escaped;
+using vespalib::xml_content_escaped;
 
 namespace storage {
 
@@ -1338,8 +1341,8 @@ FileStorHandlerImpl::Stripe::dumpQueueHtml(std::ostream & os) const
 
     const PriorityIdx& idx = bmi::get<1>(*_queue);
     for (const auto & entry : idx) {
-        os << "<li>" << entry._command->toString() << " (priority: "
-           << (int)entry._command->getPriority() << ")</li>\n";
+        os << "<li>" << xml_content_escaped(entry._command->toString()) << " (priority: "
+           << static_cast<int>(entry._command->getPriority()) << ")</li>\n";
     }
 }
 
@@ -1379,8 +1382,9 @@ FileStorHandlerImpl::Stripe::dumpQueue(std::ostream & os) const
 
     const PriorityIdx& idx = bmi::get<1>(*_queue);
     for (const auto & entry : idx) {
-        os << entry._bucket.getBucketId() << ": " << entry._command->toString() << " (priority: "
-           << (int)entry._command->getPriority() << ")\n";
+        os << entry._bucket.getBucketId() << ": "
+           << xml_content_escaped(entry._command->toString())
+           << " (priority: " << static_cast<int>(entry._command->getPriority()) << ")\n";
     }
 }
 
diff --git a/storage/src/vespa/storage/persistence/filestorage/filestormanager.cpp b/storage/src/vespa/storage/persistence/filestorage/filestormanager.cpp
index 63fec9f037f..62be96447a4 100644
--- a/storage/src/vespa/storage/persistence/filestorage/filestormanager.cpp
+++ b/storage/src/vespa/storage/persistence/filestorage/filestormanager.cpp
@@ -23,6 +23,7 @@
 #include <vespa/vespalib/util/cpu_usage.h>
 #include <vespa/vespalib/util/idestructorcallback.h>
 #include <vespa/vespalib/util/sequencedtaskexecutor.h>
+#include <vespa/vespalib/util/string_escape.h>
 #include <vespa/vespalib/util/stringfmt.h>
 #include <vespa/config/subscription/configuri.h>
 #include <vespa/config/helper/configfetcher.hpp>
@@ -887,16 +888,17 @@ void FileStorManager::onFlush(bool downwards)
 void
 FileStorManager::reportHtmlStatus(std::ostream& out, const framework::HttpUrlPath& path) const
 {
-    bool showStatus = !path.hasAttribute("thread");
-    bool verbose = path.hasAttribute("verbose");
+    using vespalib::xml_attribute_escaped;
 
-        // Print menu
+    bool showStatus = !path.hasAttribute("thread");
+    bool verbose    = path.hasAttribute("verbose");
+    // Print menu
     out << "<font size=\"-1\">[ <a href=\"/\">Back to top</a>"
         << " | <a href=\"?" << (verbose ? "verbose" : "")
         << "\">Main filestor manager status page</a>"
         << " | <a href=\"?" << (verbose ? "notverbose" : "verbose");
     if (!showStatus) {
-        out << "&thread=" << path.get("thread", std::string(""));
+        out << "&thread=" << xml_attribute_escaped(path.get("thread", std::string("")));
     }
     out << "\">" << (verbose ? "Less verbose" : "More verbose") << "</a>\n"
         << " ]</font><br><br>\n";
-- 
cgit v1.2.3