Fix broken 'html' HAProxy converter in ban-with-contact.html#167
Merged
sabban merged 1 commit intoJul 3, 2026
Merged
Conversation
PR #166 escaped contact_us_url via a `,html` converter in the native HAProxy template, but HAProxy has no such converter — `haproxy -c` rejects the config with "unknown converter 'html'", breaking any deployment that enables the ban-with-contact page. Move the escaping to the single point where contact_us_url is produced (Go, via html.EscapeString) instead of duplicating it in both the Lua template renderer and the HAProxy config. Both the Lua and native HAProxy templates now consume the already-escaped value, so neither needs its own escaping logic. Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
sabban
added a commit
that referenced
this pull request
Jul 6, 2026
* golangci-lint * Make HAProxy Lua rendering optional * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * fix: strip surrounding quotes from string literals in Lua template if-statement parser * Fix ACL content-negotiation, charset, captcha status, Docker Lua volume, template a11y (#165) Fix review findings: ACL content-negotiation, charset, captcha status, Docker Lua volume, template accessibility - Replace '-m sub text' (overly broad, matched text/plain) with 'text/html' substring match - Add 'html_rejected' ACL to exclude clients sending text/html;q=0 from HTML rendering - Change captcha non-HTML response from 403 to 200 to preserve the Lua handler's semantics - Add charset=utf-8 to all HTML Content-Type response headers - Use regsub(&,\&,g) to HTML-encode '&' in contact URL href in ban-with-contact.html - Fix <div> dark-mode-toggle to <button> and collapse duplicate SVG class in ban.html and captcha.html - Restore lua: volume in docker-compose.yaml as commented-out for optional Lua rendering mode - Document template path customisation and lf-file startup validation gap in README Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Fix typo: rename agaisnt to against in template.lua * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Fix XSS vulnerability: validate URL scheme and HTML-escape contact_us… (#166) Fix XSS vulnerability: validate URL scheme and HTML-escape contact_us_url - Validate contact_us_url scheme (only http/https/mailto allowed) in Go before setting the HAProxy variable, preventing javascript: XSS - Use HAProxy html converter in ban-with-contact.html for proper HTML-escaping (replaces incomplete regsub that only handled ampersands) - Add html_escape() helper in crowdsec.lua and apply it to contact_us_url before passing it to the Lua template renderer Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> * Fix broken 'html' HAProxy converter in ban-with-contact.html (#167) PR #166 escaped contact_us_url via a `,html` converter in the native HAProxy template, but HAProxy has no such converter — `haproxy -c` rejects the config with "unknown converter 'html'", breaking any deployment that enables the ban-with-contact page. Move the escaping to the single point where contact_us_url is produced (Go, via html.EscapeString) instead of duplicating it in both the Lua template renderer and the HAProxy config. Both the Lua and native HAProxy templates now consume the already-escaped value, so neither needs its own escaping logic. Co-authored-by: Claude Sonnet 5 <noreply@anthropic.com> --------- Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
contact_us_urlin the native HAProxy template using a,htmlconverter, but HAProxy has no such converter. Verified against the actualhaproxy:2.9.7-alpineimage used by this repo's docker-compose:haproxy -cfails withunknown converter 'html', so any deployment enablingban-with-contact.html(via thelf-filedirective inhaproxy.cfg) fails to start.contact_us_urlis produced —internal/remediation/ban/root.go, via stdlibhtml.EscapeString— after the existing scheme allowlist check, instead of duplicating escaping logic in both the Lua template renderer and the HAProxy config.html_escape()inlua/crowdsec.lua; the Lua ban template consumes the already-escaped value.templates/ban-with-contact.htmlto a plain%[var(txn.crowdsec.contact_us_url)](no converter needed).Test plan
go build ./...andgo vet ./internal/remediation/ban/...passtemplates/ban-with-contact.htmlagainst realhaproxy:2.9.7-alpineviahaproxy -c— now exits 0 (previously failed withunknown converter 'html')🤖 Generated with Claude Code