Escape HTML entities in artifact definitions. (Velocidex#668)

content/artifact_references/pages/admin.client.remove.md

@@ -32,7 +32,7 @@ sources:
   - query: |
       LET old_clients = SELECT os_info.fqdn AS Fqdn, client_id,
              timestamp(epoch=last_seen_at/1000000) AS LastSeen FROM clients()
-      WHERE LastSeen < now() - ( atoi(string=Age) * 3600 * 24 )
+      WHERE LastSeen &lt; now() - ( atoi(string=Age) * 3600 * 24 )
 
       SELECT * FROM foreach(row=old_clients,
       query={

content/artifact_references/pages/admin.client.uninstall.md

@@ -99,7 +99,7 @@ sources:
       WHERE OS = 'darwin'
 
     query:  |
-      LET me <= SELECT Exe FROM info()
+      LET me &lt;= SELECT Exe FROM info()
 
       SELECT * FROM if(condition=ReallyDoIt,
       then={

content/artifact_references/pages/admin.client.upgrade.md

@@ -47,7 +47,7 @@ sources:
     query:  |
       // Force the file to be copied to the real temp directory since
       // we are just about to remove the Tools directory.
-      LET bin <= SELECT copy(filename=OSPath,
+      LET bin &lt;= SELECT copy(filename=OSPath,
           dest=expand(path="%SYSTEMROOT%\\Temp\\") + basename(path=OSPath)) AS Dest
       FROM Artifact.Generic.Utils.FetchBinary(
          ToolName="WindowsMSI", IsExecutable=FALSE,

content/artifact_references/pages/demo.plugins.fifo.md

@@ -119,7 +119,7 @@ sources:
       // materializing the cache contents. Otherwise the fifo wont
       // start until it is first called (i.e. the first successful
       // login and we will miss the failed events before hand).
-       LET foo <= SELECT * FROM last_5_events
+       LET foo &lt;= SELECT * FROM last_5_events
 
       // This simulates successful logon - we assume every 3 seonds.
       LET success_logon = SELECT Unix as SuccessTime from clock(period=3)
@@ -135,7 +135,7 @@ sources:
               enumerate(items=FailedTime) as FailedTime,
               count(items=FailedTime) as Count
            FROM last_5_events GROUP BY SuccessTime
-          }) WHERE Count > 3
+          }) WHERE Count &gt; 3
 
 </code></pre>
 

content/artifact_references/pages/demo.plugins.gui.md

@@ -298,7 +298,7 @@ sources:
 
           -- Add the time series into the timeline.
           SELECT timeline_add(
-              key="Timestamp", name="Time 你好世界 'line' &\" ",
+              key="Timestamp", name="Time 你好世界 'line' &\" ",
               query=T1, timeline="Test \"Timeline 你好世界\""),
            timeline_add(
               key="Timestamp", name="2",

content/artifact_references/pages/generic.applications.chrome.sessionstorage.md

@@ -43,19 +43,19 @@ parameters:
 
 sources:
 - query: |
-    LET _ <= log(message="Glob %v", args= [SessionGlobs.Glob, ])
+    LET _ &lt;= log(message="Glob %v", args= [SessionGlobs.Glob, ])
     LET _GetMapping(Data, ID) = to_dict(item={
       SELECT _key AS RawKey,
              parse_string_with_regex(string=_key,
-                 regex='map-([^-]+)-(?P<Key>.+)').Key AS _key,
+                 regex='map-([^-]+)-(?P&lt;Key&gt;.+)').Key AS _key,
              utf16(string=_value) AS _value
       FROM items(item=Data)
       WHERE RawKey =~ format(format="map-%v", args=ID)
     })
 
     LET DumpSessionStorate(Data) =
          SELECT parse_string_with_regex(string=_key,
-                    regex='''namespace-(?P<GUID>[^-]+)-(?P<URL>.+)''') AS Parsed,
+                    regex='''namespace-(?P&lt;GUID&gt;[^-]+)-(?P&lt;URL&gt;.+)''') AS Parsed,
                 _value, _GetMapping(Data=Data, ID=_value) AS Mapping
          FROM items(item=Data)
          WHERE Parsed.URL

content/artifact_references/pages/generic.applications.office.keywords.md

@@ -83,7 +83,7 @@ sources:
            globs="/**",
            root=pathspec(DelegatePath=OfficePath),
            accessor='zip')
-        WHERE not IsDir and Size > 0
+        WHERE not IsDir and Size > 0
 
         // For each document, scan all its parts for the keyword.
         SELECT OfficePath,

content/artifact_references/pages/generic.client.info.md

@@ -58,7 +58,7 @@ sources:
     description: Windows specific information about the host
     precondition: SELECT OS From info() where OS = 'windows'
     query: |
-      LET DomainLookup <= dict(
+      LET DomainLookup &lt;= dict(
          `0`='Standalone Workstation',
          `1`='Member Workstation',
          `2`='Standalone Server',
@@ -140,13 +140,13 @@ reports:
            FROM source(artifact="Generic.Client.Stats",
                        client_id=ClientId,
                        start_time=now() - 86400)
-           WHERE CPUPercent >= 0
+           WHERE CPUPercent &gt;= 0
          })
       {{ end }}
 
-      <div>
+      &lt;div&gt;
       {{ Query "resources" | LineChart "xaxis_mode" "time" "RSS.yaxis" 2 }}
-      </div>
+      &lt;/div&gt;
 
       {{ $windows_info := Query "SELECT * FROM source(source='WindowsInfo')" }}
       {{ if $windows_info }}

content/artifact_references/pages/generic.client.stats.md

@@ -55,7 +55,7 @@ reports:
            SELECT Timestamp, rate(x=CPU, y=Timestamp) * 100 As CPUPercent,
                   RSS / 1000000 AS MemoryUse
            FROM source()
-           WHERE CPUPercent >= 0
+           WHERE CPUPercent >= 0
       {{ end }}
 
       {{ Query "resources" | LineChart "xaxis_mode" "time" "RSS.yaxis" 2 }}
@@ -66,7 +66,7 @@ reports:
            SELECT Timestamp, rate(x=CPU, y=Timestamp) * 100 As CPUPercent,
                   RSS / 1000000 AS MemoryUse
            FROM source()
-           WHERE CPUPercent >= 0
+           WHERE CPUPercent >= 0
       {{ end }}
 
       {{ $client_info := Query "SELECT * FROM clients(client_id=ClientId) LIMIT 1" }}
@@ -86,9 +86,9 @@ reports:
       idle, but if a heavy hunt is running this might climb
       substantially.
 
-        <div>
+        &lt;div&gt;
         {{ Query "resources" | LineChart "xaxis_mode" "time" "RSS.yaxis" 2 }}
-        </div>
+        &lt;/div&gt;
 
       ## VQL Query
 
@@ -98,7 +98,7 @@ reports:
       {{ template "resources" }}
       ```
 
-      > To learn about managing end point performance with Velociraptor see
+      &gt; To learn about managing end point performance with Velociraptor see
         the [blog post](https://docs.velociraptor.velocidex.com/blog/html/2019/02/10/velociraptor_performance.html).
 
 column_types:

content/artifact_references/pages/generic.collectors.file.md

@@ -50,7 +50,7 @@ parameters:
 sources:
    - name: All Matches Metadata
      query: |
-      LET RootPath <= pathspec(Path=Root, accessor=Accessor)
+      LET RootPath &lt;= pathspec(Path=Root, accessor=Accessor)
 
       -- Generate the collection globs for each device
       LET specs = SELECT RootPath + Glob AS Glob
@@ -69,7 +69,7 @@ sources:
         WHERE NOT IsDir AND log(message="Found " + SourceFile)
 
       -- Pass all the results to the next query.
-      LET all_results <=
+      LET all_results &lt;=
          SELECT Created, LastAccessed, Modified, Size, SourceFile
          FROM hits
 

content/artifact_references/pages/generic.collectors.sqlecmd.md

@@ -231,8 +231,8 @@ parameters:
 
 sources:
 - query: |
-   LET AllFilenamesRegex <= '''^(CarsDB.db|Contacts.db|random.sqlite|ActivitiesCache.db|Antiphishing.db|RansomwareRecover.db|cache.db|es.db|Web Data|Web Data|Cookies|History|Favicons|History|History|Web Data|Media History|Media History|Network Action Predictor|Shortcuts|Top Sites|aggregation.dbx|config.db|filecache.db|icon.db|instance.dbx|home.db|home.db|home.db|home.db|sync_history.db|tray-thumbnails.db|EventTranscript.db|EventTranscript.db|queue.sqlite3|places.sqlite|cookies.sqlite|downloads.sqlite|places.sqlite|favicons.sqlite|formhistory.sqlite|places.sqlite|random.db|cloud_graph.db|snapshot.db|sync_config.db|metadata_sqlite_db|plum.sqlite|nessusd.db|MediaDb.v1.sqlite|random.db|Main.db|wpndatabase.db|wpndatabase.db|Store.db|contacts.db|Notifications.db|Phone.db|photos.db|settings.db|accounts4.db|callhistory.storedata)$'''
-   LET SQLiteFiles <=
+   LET AllFilenamesRegex &lt;= '''^(CarsDB.db|Contacts.db|random.sqlite|ActivitiesCache.db|Antiphishing.db|RansomwareRecover.db|cache.db|es.db|Web Data|Web Data|Cookies|History|Favicons|History|History|Web Data|Media History|Media History|Network Action Predictor|Shortcuts|Top Sites|aggregation.dbx|config.db|filecache.db|icon.db|instance.dbx|home.db|home.db|home.db|home.db|sync_history.db|tray-thumbnails.db|EventTranscript.db|EventTranscript.db|queue.sqlite3|places.sqlite|cookies.sqlite|downloads.sqlite|places.sqlite|favicons.sqlite|formhistory.sqlite|places.sqlite|random.db|cloud_graph.db|snapshot.db|sync_config.db|metadata_sqlite_db|plum.sqlite|nessusd.db|MediaDb.v1.sqlite|random.db|Main.db|wpndatabase.db|wpndatabase.db|Store.db|contacts.db|Notifications.db|Phone.db|photos.db|settings.db|accounts4.db|callhistory.storedata)$'''
+   LET SQLiteFiles &lt;=
    SELECT OSPath,
     read_file(filename=OSPath, length=15, accessor=Accessor) AS Magic,
     if(condition=AlsoUpload,

content/artifact_references/pages/generic.detection.hashhunter.md

@@ -63,15 +63,15 @@ parameters:
 sources:
   - query: |
       -- setup hash lists
-      LET MD5List <= if(condition= MD5List,
+      LET MD5List &lt;= if(condition= MD5List,
                         then= split(sep='\\s+',string=MD5List), else=Null)
-      LET SHA1List <= if(condition= SHA1List,
+      LET SHA1List &lt;= if(condition= SHA1List,
                         then= split(sep='\\s+',string=SHA1List), else=Null)
-      LET SHA256List <= if(condition= SHA256List,
+      LET SHA256List &lt;= if(condition= SHA256List,
                         then= split(sep='\\s+',string=SHA256List), else=Null)
 
       -- set hash selector for optimised hash calculation
-      LET HashSelector <= SELECT * FROM chain(
+      LET HashSelector &lt;= SELECT * FROM chain(
           a={ SELECT "MD5" AS Hash FROM scope() WHERE MD5List },
           b={ SELECT "SHA1" AS Hash FROM scope() WHERE SHA1List },
           c={ SELECT "SHA256" AS Hash FROM scope() WHERE SHA256List })
@@ -82,31 +82,31 @@ sources:
                 SELECT OSPath, Name, Size,Mtime,Atime,Ctime,Btime
                 FROM glob(globs=TargetGlob,accessor=Accessor,nosymlink='True')
                 WHERE NOT IsDir AND NOT IsLink
-                    AND Size > SizeMin AND Size < SizeMax
-                    AND ( Mtime < DateBefore OR Ctime < DateBefore OR Btime < DateBefore )
-                    AND ( Mtime > DateAfter OR Ctime > DateAfter OR Btime > DateAfter )
+                    AND Size &gt; SizeMin AND Size &lt; SizeMax
+                    AND ( Mtime &lt; DateBefore OR Ctime &lt; DateBefore OR Btime &lt; DateBefore )
+                    AND ( Mtime &gt; DateAfter OR Ctime &gt; DateAfter OR Btime &gt; DateAfter )
             }, 
             else={ SELECT * FROM  if(condition=DateBefore,
                 then={
                     SELECT OSPath, Name, Size,Mtime,Atime,Ctime,Btime
                     FROM glob(globs=OSPath,accessor=Accessor)
                     WHERE NOT IsDir AND NOT IsLink
-                        AND Size > SizeMin AND Size < SizeMax
-                        AND ( Mtime < DateBefore OR Ctime < DateBefore OR Btime < DateBefore )
+                        AND Size &gt; SizeMin AND Size &lt; SizeMax
+                        AND ( Mtime &lt; DateBefore OR Ctime &lt; DateBefore OR Btime &lt; DateBefore )
                 },
                 else={ SELECT * FROM  if(condition=DateAfter,
                 then={
                     SELECT OSPath, Name, Size,Mtime,Atime,Ctime,Btime
                     FROM glob(globs=TargetGlob,accessor=Accessor)
                     WHERE NOT IsDir AND NOT IsLink
-                        AND Size > SizeMin AND Size < SizeMax
-                        AND ( Mtime > DateAfter OR Ctime > DateAfter OR Btime > DateAfter )
+                        AND Size &gt; SizeMin AND Size &lt; SizeMax
+                        AND ( Mtime &gt; DateAfter OR Ctime &gt; DateAfter OR Btime &gt; DateAfter )
                 },
                 else={
                     SELECT OSPath, Name, Size,Mtime,Atime,Ctime,Btime
                     FROM glob(globs=TargetGlob,accessor=Accessor)
                     WHERE NOT IsDir AND NOT IsLink
-                        AND Size > SizeMin AND Size < SizeMax
+                        AND Size &gt; SizeMin AND Size &lt; SizeMax
                 })})})
 
 

content/artifact_references/pages/generic.detection.yara.glob.md

@@ -116,18 +116,18 @@ parameters:
 sources:
   - query: |
       -- check which Yara to use
-      LET yara_rules <= YaraUrl || YaraRule
+      LET yara_rules &lt;= YaraUrl || YaraRule
 
       -- time testing
       LET time_test(stamp) =
             if(condition= DateBefore AND DateAfter,
-                then= stamp < DateBefore AND stamp > DateAfter,
+                then= stamp &lt; DateBefore AND stamp &gt; DateAfter,
                 else=
             if(condition=DateBefore,
-                then= stamp < DateBefore,
+                then= stamp &lt; DateBefore,
                 else=
             if(condition= DateAfter,
-                then= stamp > DateAfter,
+                then= stamp &gt; DateAfter,
                 else= True
             )))
 
@@ -137,10 +137,10 @@ sources:
         WHERE
           NOT IsDir AND NOT IsLink
           AND if(condition=SizeMin,
-            then= SizeMin < Size,
+            then= SizeMin &lt; Size,
             else= True)
           AND if(condition=SizeMax,
-            then=SizeMax > Size,
+            then=SizeMax &gt; Size,
             else= True)
           AND
              ( time_test(stamp=Mtime)
@@ -163,10 +163,10 @@ sources:
                             name=format(format="%v-%v-%v",
                             args=[
                                 OSPath,
-                                if(condition= String.Offset - ContextBytes < 0,
+                                if(condition= String.Offset - ContextBytes &lt; 0,
                                     then= 0,
                                     else= String.Offset - ContextBytes),
-                                if(condition= String.Offset + ContextBytes > Size,
+                                if(condition= String.Offset + ContextBytes &gt; Size,
                                     then= Size,
                                     else= String.Offset + ContextBytes) ]
                             )) as HitContext

content/artifact_references/pages/generic.detection.yara.zip.md

@@ -108,15 +108,15 @@ sources:
 
       -- recursive search function
       LET Recurse(Container, File, Accessor, RecursionRounds) = SELECT * FROM if(
-        condition=RecursionRounds < MaxRecursions,
+        condition=RecursionRounds &lt; MaxRecursions,
         then={
            SELECT * FROM foreach(
                 row={
                     SELECT *
                     FROM glob(accessor='zip',
                        root=pathspec(DelegatePath=File, DelegateAccessor=Accessor),
                        globs='**')
-                    WHERE NOT IsDir AND Size > 0
+                    WHERE NOT IsDir AND Size &gt; 0
                 },
                 query={
                     SELECT *

content/artifact_references/pages/generic.forensic.carving.urls.md

@@ -39,7 +39,7 @@ sources:
           query={
             SELECT OSPath,
                    URL FROM parse_records_with_regex(file=OSPath,
-               regex="(?P<URL>https?:\\/\\/[\\w\\.-]+[\\/\\w \\.-]*)")
+               regex="(?P&lt;URL&gt;https?:\\/\\/[\\w\\.-]+[\\/\\w \\.-]*)")
           })
 
 </code></pre>

content/artifact_references/pages/generic.forensic.localhashes.glob.md

@@ -57,12 +57,12 @@ parameters:
 
 sources:
   - query: |
-      LET hash_db <= SELECT OSPath
+      LET hash_db &lt;= SELECT OSPath
       FROM Artifact.Generic.Forensic.LocalHashes.Init(HashDb=HashDb)
 
-      LET path <= hash_db[0].OSPath
+      LET path &lt;= hash_db[0].OSPath
 
-      LET _ <= log(message="Will use local hash database " + path)
+      LET _ &lt;= log(message="Will use local hash database " + path)
 
       // Crawl the files and calculate their hashes
       LET files = SELECT OSPath, Size, hash(path=OSPath).MD5 AS Hash

content/artifact_references/pages/generic.forensic.localhashes.init.md

@@ -28,12 +28,12 @@ sources:
         create unique index if not exists uniqueidx on hashes(path, md5)
         "
 
-      LET hash_db <= path_join(components=[dirname(path=tempfile()), HashDb])
+      LET hash_db &lt;= path_join(components=[dirname(path=tempfile()), HashDb])
 
-      LET _ <= log(message="Will use local hash database " + hash_db)
+      LET _ &lt;= log(message="Will use local hash database " + hash_db)
 
       // SQL to create the initial database.
-      LET _ <= SELECT * FROM foreach(
+      LET _ &lt;= SELECT * FROM foreach(
       row={
           SELECT Line FROM parse_lines(filename=SQL, accessor="data")
           WHERE Line

content/artifact_references/pages/generic.forensic.localhashes.query.md

@@ -50,7 +50,7 @@ parameters:
 
 sources:
   - query: |
-      LET hash_db <= SELECT OSPath
+      LET hash_db &lt;= SELECT OSPath
       FROM Artifact.Generic.Forensic.LocalHashes.Init(HashDb=HashDb)
 
       -- Check hashes from the CSV or comma delimited input