Fix too much XSS protections

dasJ · dasJ · commit fd0b8ec8e091 · 2025-08-14T12:25:17.000+02:00
- Fixes build graphs
- Fixes pagination
- Fixes pressure of new queue runner
diff --git a/src/lib/Hydra/Controller/Root.pm b/src/lib/Hydra/Controller/Root.pm
@@ -13,6 +13,7 @@ use Number::Bytes::Human qw(format_bytes);
 use Encode;
 use File::Basename;
 use JSON::MaybeXS;
+use HTML::Entities;
 use List::Util qw[min max];
 use List::SomeUtils qw{any};
 use Net::Prometheus;
@@ -229,7 +230,7 @@ sub machines :Local Args(0) {
     $c->stash->{pretty_percent} = sub {
         my ($percent) = @_;
         my $ret = sprintf('%.2f', $percent);
-        return ('&nbsp;' x (6 - length($ret))) . $ret;
+        return ('&nbsp;' x (6 - length($ret))) . encode_entities($ret);
     };
     $self->status_ok($c, entity => $c->stash->{machines});
 }
diff --git a/src/root/common.tt b/src/root/common.tt
@@ -444,9 +444,9 @@ BLOCK renderInputDiff; %]
 BLOCK renderPager %]
   <ul class="pagination">
     <li class="page-item[% IF page == 1 %] disabled[% END %]"><a class="page-link" [% HTML.attributes(href => "$baseUri?page=1") %]>&laquo; First</a></li>
-    <li class="page-item[% IF page == 1 %] disabled[% END %]"><a class="page-link" [% HTML.attributes(href => "$baseUri?page="); (page - 1) %]>&lsaquo; Previous</a></li>
-    <li class="page-item[% IF page * resultsPerPage >= total %] disabled[% END %]"><a class="page-link" [% HTML.attributes(href => "$baseUri?page="); (page + 1) %]>Next &rsaquo;</a></li>
-    <li class="page-item[% IF page * resultsPerPage >= total %] disabled[% END %]"><a class="page-link" [% HTML.attributes("$baseUri?page="); (total - 1) div resultsPerPage + 1 %]>Last &raquo;</a></li>
+    <li class="page-item[% IF page == 1 %] disabled[% END %]"><a class="page-link" [% HTML.attributes(href => "$baseUri?page=" _ (page - 1)) %]>&lsaquo; Previous</a></li>
+    <li class="page-item[% IF page * resultsPerPage >= total %] disabled[% END %]"><a class="page-link" [% HTML.attributes(href => "$baseUri?page=" _ (page + 1)) %]>Next &rsaquo;</a></li>
+    <li class="page-item[% IF page * resultsPerPage >= total %] disabled[% END %]"><a class="page-link" [% HTML.attributes(href => "$baseUri?page=" _ ((total - 1) div resultsPerPage + 1)) %]>Last &raquo;</a></li>
   </ul>
 [% END;
 
@@ -700,7 +700,7 @@ BLOCK createChart %]
 
   <script type="text/javascript">
     $(function() {
-      showChart("[% HTML.escape(id) %]", "[% dataUrl | uri %]", "[% yaxis %]");
+      showChart("[% HTML.escape(id) %]", "[% dataUrl %]", "[% yaxis %]");
     });
   </script>
 
diff --git a/src/root/machine-status.tt b/src/root/machine-status.tt
@@ -36,7 +36,7 @@
                 [% pressure = m.value.stats.pressure %]
                 [% MACRO render_pressure(title, pressure) BLOCK %]
                     [% IF pressure %]
-                        <tr><td><b>[% HTML.escape(title) %]:</b></td><td><tt>[% pretty_percent(pressure.avg10) | html %]%</tt></td><td><td><tt>[% pretty_percent(pressure.avg60) | html %]%</tt></td><td><td><tt>[% pretty_percent(pressure.avg300) | html %]%</tt></td><td>
+                        <tr><td><b>[% HTML.escape(title) %]:</b></td><td><tt>[% pretty_percent(pressure.avg10) %]%</tt></td><td><td><tt>[% pretty_percent(pressure.avg60) %]%</tt></td><td><td><tt>[% pretty_percent(pressure.avg300) %]%</tt></td><td>
                     [% END %]
                 [% END %]
                 [% IF pressure %]
