Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
N
nexpie-grafana-theme
Overview
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Registry
Registry
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Kornkitt Poolsup
nexpie-grafana-theme
Commits
5bd11744
Unverified
Commit
5bd11744
authored
Oct 18, 2018
by
Torkel Ödegaard
Committed by
GitHub
Oct 18, 2018
Browse files
Options
Browse Files
Download
Plain Diff
Merge pull request #13670 from svenklemm/metrics-segment-xss
Escape values in metric segment and sql part
parents
34ef5e77
2803cdca
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
10 additions
and
9 deletions
+10
-9
public/app/core/components/query_part/query_part_editor.ts
+2
-1
public/app/core/components/sql_part/sql_part_editor.ts
+3
-2
public/app/core/directives/metric_segment.ts
+5
-6
No files found.
public/app/core/components/query_part/query_part_editor.ts
View file @
5bd11744
...
...
@@ -103,7 +103,7 @@ export function queryPartEditorDirective($compile, templateSrv) {
$scope
.
$apply
(()
=>
{
$scope
.
handleEvent
({
$event
:
{
name
:
'get-param-options'
}
}).
then
(
result
=>
{
const
dynamicOptions
=
_
.
map
(
result
,
op
=>
{
return
op
.
value
;
return
_
.
escape
(
op
.
value
)
;
});
callback
(
dynamicOptions
);
});
...
...
@@ -117,6 +117,7 @@ export function queryPartEditorDirective($compile, templateSrv) {
minLength
:
0
,
items
:
1000
,
updater
:
value
=>
{
value
=
_
.
unescape
(
value
);
setTimeout
(()
=>
{
inputBlur
.
call
(
$input
[
0
],
paramIndex
);
},
0
);
...
...
public/app/core/components/sql_part/sql_part_editor.ts
View file @
5bd11744
...
...
@@ -109,12 +109,12 @@ export function sqlPartEditorDirective($compile, templateSrv) {
$scope
.
$apply
(()
=>
{
$scope
.
handleEvent
({
$event
:
{
name
:
'get-param-options'
,
param
:
param
}
}).
then
(
result
=>
{
const
dynamicOptions
=
_
.
map
(
result
,
op
=>
{
return
op
.
value
;
return
_
.
escape
(
op
.
value
)
;
});
// add current value to dropdown if it's not in dynamicOptions
if
(
_
.
indexOf
(
dynamicOptions
,
part
.
params
[
paramIndex
])
===
-
1
)
{
dynamicOptions
.
unshift
(
part
.
params
[
paramIndex
]
);
dynamicOptions
.
unshift
(
_
.
escape
(
part
.
params
[
paramIndex
])
);
}
callback
(
dynamicOptions
);
...
...
@@ -129,6 +129,7 @@ export function sqlPartEditorDirective($compile, templateSrv) {
minLength
:
0
,
items
:
1000
,
updater
:
value
=>
{
value
=
_
.
unescape
(
value
);
if
(
value
===
part
.
params
[
paramIndex
])
{
clearTimeout
(
cancelBlur
);
$input
.
focus
();
...
...
public/app/core/directives/metric_segment.ts
View file @
5bd11744
...
...
@@ -3,7 +3,7 @@ import $ from 'jquery';
import
coreModule
from
'../core_module'
;
/** @ngInject */
export
function
metricSegment
(
$compile
,
$sce
)
{
export
function
metricSegment
(
$compile
,
$sce
,
templateSrv
)
{
const
inputTemplate
=
'<input type="text" data-provide="typeahead" '
+
' class="gf-form-input input-medium"'
+
...
...
@@ -41,13 +41,11 @@ export function metricSegment($compile, $sce) {
return
;
}
value
=
_
.
unescape
(
value
);
$scope
.
$apply
(()
=>
{
const
selected
=
_
.
find
(
$scope
.
altSegments
,
{
value
:
value
});
if
(
selected
)
{
segment
.
value
=
selected
.
value
;
segment
.
html
=
selected
.
html
||
selected
.
value
;
segment
.
html
=
selected
.
html
||
$sce
.
trustAsHtml
(
templateSrv
.
highlightVariablesAsHtml
(
selected
.
value
))
;
segment
.
fake
=
false
;
segment
.
expandable
=
selected
.
expandable
;
...
...
@@ -56,7 +54,7 @@ export function metricSegment($compile, $sce) {
}
}
else
if
(
segment
.
custom
!==
'false'
)
{
segment
.
value
=
value
;
segment
.
html
=
$sce
.
trustAsHtml
(
value
);
segment
.
html
=
$sce
.
trustAsHtml
(
templateSrv
.
highlightVariablesAsHtml
(
value
)
);
segment
.
expandable
=
true
;
segment
.
fake
=
false
;
}
...
...
@@ -95,7 +93,7 @@ export function metricSegment($compile, $sce) {
// add custom values
if
(
segment
.
custom
!==
'false'
)
{
if
(
!
segment
.
fake
&&
_
.
indexOf
(
options
,
segment
.
value
)
===
-
1
)
{
options
.
unshift
(
segment
.
value
);
options
.
unshift
(
_
.
escape
(
segment
.
value
)
);
}
}
...
...
@@ -105,6 +103,7 @@ export function metricSegment($compile, $sce) {
};
$scope
.
updater
=
value
=>
{
value
=
_
.
unescape
(
value
);
if
(
value
===
segment
.
value
)
{
clearTimeout
(
cancelBlur
);
$input
.
focus
();
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment