Sanitize more strings (#42)

Add string escaping to prevent XSS in several places.

quesma/quesma/ui/dashboard.go

@@ -140,7 +140,7 @@ func (qmc *QuesmaManagementConsole) generateDashboardPanel() []byte {
 
 	buffer.Html(`<div id="dashboard-kibana" class="component">`)
 	if qmc.config.Elasticsearch.AdminUrl != nil {
-		buffer.Html(fmt.Sprintf(`<a href="%s">`, qmc.config.Elasticsearch.AdminUrl.String()))
+		buffer.Html(fmt.Sprintf(`<a href="%s">`, url.PathEscape(qmc.config.Elasticsearch.AdminUrl.String())))
 	}
 	buffer.Html(dashboardName)
 	if qmc.config.Elasticsearch.AdminUrl != nil {
@@ -161,7 +161,7 @@ func (qmc *QuesmaManagementConsole) generateDashboardPanel() []byte {
 
 	buffer.Html(`<div id="dashboard-clickhouse" class="component">`)
 	if qmc.config.ClickHouse.AdminUrl != nil {
-		buffer.Html(fmt.Sprintf(`<a href="%s">`, qmc.config.ClickHouse.AdminUrl.String()))
+		buffer.Html(fmt.Sprintf(`<a href="%s">`, url.PathEscape(qmc.config.ClickHouse.AdminUrl.String())))
 	}
 	buffer.Html(clickhouseName)
 	if qmc.config.ClickHouse.AdminUrl != nil {
@@ -184,7 +184,7 @@ func (qmc *QuesmaManagementConsole) generateDashboardPanel() []byte {
 		cpuStr = fmt.Sprintf("Host CPU: N/A (error: %s)", err0.Error())
 	}
 
-	buffer.Html(fmt.Sprintf(`<div class="status">%s</div>`, cpuStr))
+	buffer.Html(`<div class="status">`).Text(cpuStr).Html(`</div>`)
 
 	var m runtime.MemStats
 	runtime.ReadMemStats(&m)
@@ -193,7 +193,7 @@ func (qmc *QuesmaManagementConsole) generateDashboardPanel() []byte {
 		total := float64(v.Total) / 1024.0 / 1024.0 / 1024.0
 		memStr += fmt.Sprintf(", avail: %.1f GB", total)
 	}
-	buffer.Html(fmt.Sprintf(`<div class="status">%s</div>`, memStr))
+	buffer.Html(`<div class="status">`).Text(memStr).Html(`</div>`)
 
 	duration := uint64(time.Since(qmc.startedAt).Seconds())
 

quesma/quesma/ui/data_sources.go

@@ -1,7 +1,6 @@
 package ui
 
 import (
-	"fmt"
 	"mitmproxy/quesma/quesma/ui/internal/builder"
 	"slices"
 	"strings"
@@ -44,11 +43,11 @@ func (qmc *QuesmaManagementConsole) generateDatasources() []byte {
 	tables := qmc.logManager.GetTableDefinitions()
 	slices.Sort(tableNames)
 	for _, tableName := range tableNames {
+		buffer.Html(`<li>`).Text(tableName)
 		if _, exist := tables.Load(tableName); exist {
-			buffer.Html(fmt.Sprintf(`<li>%s (table exists)</li>`, tableName))
-		} else {
-			buffer.Html(fmt.Sprintf(`<li>%s</li>`, tableName))
+			buffer.Html(` (table exists)`)
 		}
+		buffer.Html(`</li>`)
 	}
 	buffer.Html(`</ul>`)
 
@@ -70,14 +69,14 @@ func (qmc *QuesmaManagementConsole) generateDatasources() []byte {
 	slices.Sort(indexNames)
 	slices.Sort(internalIndexNames)
 	for _, indexName := range indexNames {
-		buffer.Html(fmt.Sprintf(`<li>%s</li>`, indexName))
+		buffer.Html(`<li>`).Text(indexName).Html(`</li>`)
 	}
 
 	if len(internalIndexNames) > 0 {
 		buffer.Html(`<ul>`)
 
 		for _, indexName := range internalIndexNames {
-			buffer.Html(fmt.Sprintf(`<li><small>%s</small></li>`, indexName))
+			buffer.Html(`<li><small>`).Text(indexName).Html(`</small></li>`)
 		}
 		buffer.Html(`</ul>`)
 	}

quesma/quesma/ui/unsupported_queries.go

@@ -7,6 +7,7 @@ import (
 	"mitmproxy/quesma/model"
 	"mitmproxy/quesma/quesma/ui/internal/builder"
 	"mitmproxy/quesma/tracing"
+	"net/url"
 	"regexp"
 	"sort"
 )
@@ -74,7 +75,7 @@ func (qmc *QuesmaManagementConsole) generateReportForUnsupportedRequests() []byt
 	buffer.Html(`<h3>Unsupported queries by type</h3>`)
 	buffer.Html(`<ul id="unsupported-queries-stats">`)
 	for _, t := range slice {
-		buffer.Html(fmt.Sprintf(`<li><a class="debug-warn-log" href="/unsupported-requests/%s">`, t.name))
+		buffer.Html(fmt.Sprintf(`<li><a class="debug-warn-log" href="/unsupported-requests/%s">`, url.PathEscape(t.name)))
 		buffer.Text(fmt.Sprintf(`%s: %d`, t.name, t.count))
 		buffer.Html("</a></li>\n")
 	}