Fix potential cross-site scripting issue

Signed-off-by: Yuri Shkuro <github@ysh.us>
jaegertracing · Dec 20, 2020 · bde9cb8 · bde9cb8
1 parent cfcb937
commit bde9cb8
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/cmd/collector/app/handler/http_handler.go b/cmd/collector/app/handler/http_handler.go
@@ -17,6 +17,7 @@ package handler
 
 import (
 	"fmt"
+	"html"
 	"io/ioutil"
 	"mime"
 	"net/http"
@@ -76,7 +77,7 @@ func (aH *APIHandler) SaveSpan(w http.ResponseWriter, r *http.Request) {
 	}
 
 	if _, ok := acceptedThriftFormats[contentType]; !ok {
-		http.Error(w, fmt.Sprintf("Unsupported content type: %v", contentType), http.StatusBadRequest)
+		http.Error(w, fmt.Sprintf("Unsupported content type: %v", html.EscapeString(contentType)), http.StatusBadRequest)
 		return
 	}