Html escaping

[urso]

Requires: #7444
Closes: #2581

Add support to codecs and outputs to enable/disable escaping of html symbols in JSON strings.

By default html escaping is enabled.

• Add new setting escape_html to codec.json
• Add new setting output.elasticsearch.escape_html
• Add new setting output.logstash.escape_html
• Add settings to reference config files and output documentation

[ph]

Maybe a later refactoring would change the signature to take an object instead. No need to do it now.

[ph]

LGTM WFG

[ph]

Happy to merge this, I've looked at the current failure in the metricbeat job, this is not due to the change in this PR but a timeout on k8s.

[ruflin]

WDYT about having it off by default for 7.0? I would expect by default that no escaping is happening.

[andrewkroh]

+1 for changing this in 7.0 to disabled.

[ph]

Also agree with the above.

[ruflin]

I added this to the list here: #6106

I wonder if we should even remove to make it configurable in 7.0. What would be the reasons to enable it?

[urso]

Not sure if we should disable (or even remove) the setting by default. So far we've only heard from users not wanting to escape html. But we don't know how many users actually did rely on beats escaping the HTML symbols. Not escaping HTML puts consumers displaying raw event contents in browsers at risk. Reason escaping is still enabled by default is, I didn't want to introduce potential security issues for those users.

[ruflin]

Yes, we should not disable it 6.x as it would be a breaking change.

Good point about the potential security implications for some users. If we disable it, we should mention it clearly that this could have an affect. In general I still think we can disable / remove it in 7.0 as I don't think escaping should be part of the ingesting data but should be done by the consumer if needed.