tags #474967 wontfix thanks On Sun, Apr 27, 2008 at 03:59:24PM +0200, Marc Haber wrote: > I guess that this was never intended to work since it might offer a > possibility to inject malicous javascript into nagios' web frontend.
After consulting with other members of the Debian Nagios team, I have tagged this bug wontfix. Allowing HTML output from plugins opens Nagios up for Cross-site scripting attacks (see #416814), and upstream has released version 2.11 to prevent these attacks. This is the exact opposite bug than yours. There isn't really a safe way to allow HTML from plugins, so I think that Nagios' current behavior is the safe default. I guess that it would be a good idea to send a feature request upstream to let the local admin disable the HTML escaping for "trusted" sites, or to somehow cram it through libtidy, or perhaps just notice URLs in the escaped output and arbitrarily rewrite them as links. (this last paragraph was snarfed from sean finney's mail at http://lists.alioth.debian.org/pipermail/pkg-nagios-devel/2008-May/003596.html). Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]