diff --git a/cmd/collector/app/handler/http_handler.go b/cmd/collector/app/handler/http_handler.go index bdff7cbbf4a..0124a29172b 100644 --- a/cmd/collector/app/handler/http_handler.go +++ b/cmd/collector/app/handler/http_handler.go @@ -17,6 +17,7 @@ package handler import ( "fmt" + "html" "io/ioutil" "mime" "net/http" @@ -76,7 +77,7 @@ func (aH *APIHandler) SaveSpan(w http.ResponseWriter, r *http.Request) { } if _, ok := acceptedThriftFormats[contentType]; !ok { - http.Error(w, fmt.Sprintf("Unsupported content type: %v", contentType), http.StatusBadRequest) + http.Error(w, fmt.Sprintf("Unsupported content type: %v", html.EscapeString(contentType)), http.StatusBadRequest) return } diff --git a/cmd/collector/app/zipkin/http_handler.go b/cmd/collector/app/zipkin/http_handler.go index 4b74a6b5ad4..a84326b41b6 100644 --- a/cmd/collector/app/zipkin/http_handler.go +++ b/cmd/collector/app/zipkin/http_handler.go @@ -18,6 +18,7 @@ package zipkin import ( "compress/gzip" "fmt" + "html" "io" "io/ioutil" "mime" @@ -100,7 +101,8 @@ func (aH *APIHandler) saveSpans(w http.ResponseWriter, r *http.Request) { return } if err != nil { - http.Error(w, fmt.Sprintf(handler.UnableToReadBodyErrFormat, err), http.StatusBadRequest) + safeErr := html.EscapeString(err.Error()) + http.Error(w, fmt.Sprintf(handler.UnableToReadBodyErrFormat, safeErr), http.StatusBadRequest) return } diff --git a/cmd/collector/app/zipkin/http_handler_test.go b/cmd/collector/app/zipkin/http_handler_test.go index b0bf79bae4d..ec90a0e9cb0 100644 --- a/cmd/collector/app/zipkin/http_handler_test.go +++ b/cmd/collector/app/zipkin/http_handler_test.go @@ -156,12 +156,12 @@ func TestJsonFormat(t *testing.T) { }, { payload: createSpan("bar", "", "1", "1", 156, 15145, false, annoJSON, binAnnoJSON), - expected: "Unable to process request body: strconv.ParseUint: parsing \"\": invalid syntax\n", + expected: "Unable to process request body: strconv.ParseUint: parsing "": invalid syntax\n", statusCode: http.StatusBadRequest, }, { payload: createSpan("bar", "ZTA", "1", "1", 156, 15145, false, "", ""), - expected: "Unable to process request body: strconv.ParseUint: parsing \"ZTA\": invalid syntax\n", + expected: "Unable to process request body: strconv.ParseUint: parsing "ZTA": invalid syntax\n", statusCode: http.StatusBadRequest, }, {