Escape values in metric segment and sql part

3a25a0de · Sven Klemm · 3f6f98a5 · 3a25a0de · 3a25a0de
Commit 3a25a0de authored Oct 15, 2018 by Sven Klemm
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 6 deletions

public/app/core/components/sql_part/sql_part_editor.ts
+3 -2

public/app/core/directives/metric_segment.ts
+5 -4

No files found.
--- a/public/app/core/components/sql_part/sql_part_editor.ts
+++ b/public/app/core/components/sql_part/sql_part_editor.ts
@@ -109,12 +109,12 @@ export function sqlPartEditorDirective($compile, templateSrv) {
          $scope.$apply(() => {
            $scope.handleEvent({ $event: { name: 'get-param-options', param: param } }).then(result => {
              const dynamicOptions = _.map(result, op => {
-                return op.value;
+                return _.escape(op.value);
              });

              // add current value to dropdown if it's not in dynamicOptions
              if (_.indexOf(dynamicOptions, part.params[paramIndex]) === -1) {
-                dynamicOptions.unshift(part.params[paramIndex]);
+                dynamicOptions.unshift(_.escape(part.params[paramIndex]));
              }

              callback(dynamicOptions);
@@ -129,6 +129,7 @@ export function sqlPartEditorDirective($compile, templateSrv) {
          minLength: 0,
          items: 1000,
          updater: value => {
+            value = _.unescape(value);
            if (value === part.params[paramIndex]) {
              clearTimeout(cancelBlur);
              $input.focus();

--- a/public/app/core/directives/metric_segment.ts
+++ b/public/app/core/directives/metric_segment.ts
@@ -56,7 +56,7 @@ export function metricSegment($compile, $sce) {
            }
          } else if (segment.custom !== 'false') {
            segment.value = value;
-            segment.html = $sce.trustAsHtml(value);
+            segment.html = _.escape(value);
            segment.expandable = true;
            segment.fake = false;
          }
@@ -95,7 +95,7 @@ export function metricSegment($compile, $sce) {
            // add custom values
            if (segment.custom !== 'false') {
              if (!segment.fake && _.indexOf(options, segment.value) === -1) {
-                options.unshift(segment.value);
+                options.unshift(_.escape(segment.value));
              }
            }

@@ -105,6 +105,7 @@ export function metricSegment($compile, $sce) {
      };

      $scope.updater = value => {
+        value = _.unescape(value);
        if (value === segment.value) {
          clearTimeout(cancelBlur);
          $input.focus();
@@ -219,7 +220,7 @@ export function metricSegmentModel(uiSegmentSrv, $q) {
            cachedOptions = $scope.options;
            return $q.when(
              _.map($scope.options, option => {
-                return { value: option.text };
+                return { value: _.escape(option.text) };
              })
            );
          } else {
@@ -229,7 +230,7 @@ export function metricSegmentModel(uiSegmentSrv, $q) {
                if (option.html) {
                  return option;
                }
-                return { value: option.text };
+                return { value: _.escape(option.text) };
              });
            });
          }