From 6cfb6df81372f80e5a7aee9bc3cc9b48f06e746e Mon Sep 17 00:00:00 2001
From: Tyler Helmuth <12352919+TylerHelmuth@users.noreply.github.com>
Date: Thu, 22 Aug 2024 15:46:14 -0600
Subject: [PATCH 1/2] fix: escape use input in debug route

---
 route/route.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/route/route.go b/route/route.go
index fb62ee5cfc..d8ca5a708f 100644
--- a/route/route.go
+++ b/route/route.go
@@ -7,6 +7,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"html"
 	"io"
 	"math"
 	"net"
@@ -301,7 +302,7 @@ func (r *Router) version(w http.ResponseWriter, req *http.Request) {
 }
 
 func (r *Router) debugTrace(w http.ResponseWriter, req *http.Request) {
-	traceID := mux.Vars(req)["traceID"]
+	traceID := html.EscapeString(mux.Vars(req)["traceID"])
 	shard := r.Sharder.WhichShard(traceID)
 	w.Write([]byte(fmt.Sprintf(`{"traceID":"%s","node":"%s"}`, traceID, shard.GetAddress())))
 }

From ed1be7ab6ea51485f76f9a0d0c486bfd9bc0311a Mon Sep 17 00:00:00 2001
From: Tyler Helmuth <12352919+TylerHelmuth@users.noreply.github.com>
Date: Mon, 26 Aug 2024 09:05:16 -0600
Subject: [PATCH 2/2] Move escape location

---
 route/route.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/route/route.go b/route/route.go
index d8ca5a708f..249d727917 100644
--- a/route/route.go
+++ b/route/route.go
@@ -302,9 +302,9 @@ func (r *Router) version(w http.ResponseWriter, req *http.Request) {
 }
 
 func (r *Router) debugTrace(w http.ResponseWriter, req *http.Request) {
-	traceID := html.EscapeString(mux.Vars(req)["traceID"])
+	traceID := mux.Vars(req)["traceID"]
 	shard := r.Sharder.WhichShard(traceID)
-	w.Write([]byte(fmt.Sprintf(`{"traceID":"%s","node":"%s"}`, traceID, shard.GetAddress())))
+	w.Write([]byte(fmt.Sprintf(`{"traceID":"%s","node":"%s"}`, html.EscapeString(traceID), shard.GetAddress())))
 }
 
 func (r *Router) getSamplerRules(w http.ResponseWriter, req *http.Request) {