TablePabel: Sanitize column link (#21735)

751eb2c8 · Tobias Skarhed · Torkel Ödegaard · 089162b0 · 751eb2c8
Commit 751eb2c8 authored Jan 25, 2020 by Tobias Skarhed Committed by Torkel Ödegaard Jan 25, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 1 deletions

public/app/plugins/panel/table/renderer.ts
+4 -1

No files found.
--- a/public/app/plugins/panel/table/renderer.ts
+++ b/public/app/plugins/panel/table/renderer.ts
@@ -14,6 +14,7 @@ import {
 import { TemplateSrv } from 'app/features/templating/template_srv';
 import { ColumnRender, TableRenderModel, ColumnStyle } from './types';
 import { ColumnOptionsCtrl } from './column_options';
+import { sanitizeUrl } from 'app/core/utils/text';

 export class TableRenderer {
  formatters: any[];
@@ -297,13 +298,15 @@ export class TableRenderer {
      scopedVars['__cell'] = { value: value, text: value ? value.toString() : '' };

      const cellLink = this.templateSrv.replace(column.style.linkUrl, scopedVars, encodeURIComponent);
+      const sanitizedCellLink = sanitizeUrl(cellLink);
+
      const cellLinkTooltip = this.templateSrv.replace(column.style.linkTooltip, scopedVars);
      const cellTarget = column.style.linkTargetBlank ? '_blank' : '';

      cellClasses.push('table-panel-cell-link');

      columnHtml += `
-        <a href="${cellLink}" target="${cellTarget}" data-link-tooltip data-original-title="${cellLinkTooltip}" data-placement="right"${cellStyle}>
+        <a href="${sanitizedCellLink}" target="${cellTarget}" data-link-tooltip data-original-title="${cellLinkTooltip}" data-placement="right"${cellStyle}>
          ${value}
        </a>
      `;