From 47c1072b787081304e56f8d014d64810d1023fe6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E9=99=88=E5=9F=B9=E8=BF=9C?= <chenpeiyuan1994@126.com>
Date: Mon, 8 Jan 2018 19:35:53 +0800
Subject: [PATCH] do html escape before display path, avoid xss

---
 admin.go | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/admin.go b/admin.go
index 0688dcbc..73d4f9f2 100644
--- a/admin.go
+++ b/admin.go
@@ -76,6 +76,18 @@ func adminIndex(rw http.ResponseWriter, r *http.Request) {
 func qpsIndex(rw http.ResponseWriter, r *http.Request) {
 	data := make(map[interface{}]interface{})
 	data["Content"] = toolbox.StatisticsMap.GetMap()
+
+	// do html escape before display path, avoid xss
+	if content, ok := (data["Content"]).(map[string]interface{}); ok {
+		if resultLists, ok := (content["Data"]).([][]string); ok {
+			for i := range resultLists {
+				if len(resultLists[i]) > 0 {
+					resultLists[i][0] = template.HTMLEscapeString(resultLists[i][0])
+				}
+			}
+		}
+	}
+
 	execTpl(rw, data, qpsTpl, defaultScriptsTpl)
 }