Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
1.3.0
-
None
Description
I was just trying the new "flag redaction" feature and noticed that the string '<redacted>' isn't getting properly HTML-escaped in the /varz web page. It appears we've never properly escaped flag values in this context, but it's only obvious now that the '<redacted>' string is getting interpreted as an HTML tag.