Merge pull request #14988 from grafana/sanitize-input-fixes

Fixed issues with the sanitizie input in text panels

Merge pull request #14988 from grafana/sanitize-input-fixes
Fixed issues with the sanitizie input in text panels
75e3d900 · Torkel Ödegaard · GitHub · caa9a90b · f0e61af8 · 75e3d900
Commit 75e3d900 authored Jan 22, 2019 by Torkel Ödegaard Committed by GitHub Jan 22, 2019
8 changed files
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -26,8 +26,11 @@
 * **Prometheus**: Query for annotation always uses 60s step regardless of dashboard range, fixes [#14795](https://github.com/grafana/grafana/issues/14795)
 ### Breaking changes
-* **Text Panel**: The text panel does no longer by default allow unsantizied HTML. [#4117](https://github.com/grafana/grafana/issues/4117). This means that if you have text panels with scripts tags they will no longer work as before. To enable unsafe javascript execution in text panels enable the settings `disable_sanitize_input` 
+* **Text Panel**: The text panel does no longer by default allow unsantizied HTML.
-under the section `[panels]` in your Grafana ini file, or set env variable `GF_PANELS_DISABLE_SANITIZE_INPUT=true`. 
+* [#4117](https://github.com/grafana/grafana/issues/4117). This means that if you have text panels with scripts tags
+* they will no longer work as before. To enable unsafe javascript execution in text panels enable the settings
+* `disable_sanitize_html` under the section `[panels]` in your Grafana ini file, or set env variable
+* `GF_PANELS_DISABLE_SANITIZE_HTML=true`.
 # 5.4.3 (2019-01-14)

--- a/conf/defaults.ini
+++ b/conf/defaults.ini
@@ -570,7 +570,7 @@ callback_url =
 [panels]
 enable_alpha = false
-disable_sanitize_input = false
+disable_sanitize_html = false
 [enterprise]
 license_path =
--- a/conf/sample.ini
+++ b/conf/sample.ini
@@ -495,3 +495,8 @@ log_queries =
 # Path to a valid Grafana Enterprise license.jwt file
 ;license_path =
+[panels]
+;enable_alpha = false
+# If set to true Grafana will allow script tags in text panels. Not recommended as it enable XSS vulnerabilities.
+;disable_sanitize_html = false
--- a/docs/sources/installation/configuration.md
+++ b/docs/sources/installation/configuration.md
@@ -589,3 +589,14 @@ Default setting for how Grafana handles nodata or null values in alerting. (aler
 Alert notifications can include images, but rendering many images at the same time can overload the server.
 This limit will protect the server from render overloading and make sure notifications are sent out quickly. Default
 value is `5`.
+## [panels]
+### enable_alpha
+Set to true if you want to test panels that are not yet ready for general usage.
+### disable_sanitize_html
+If set to true Grafana will allow script tags in text panels. Not recommended as it enable XSS vulnerabilities. Default
+is false. This settings was introduced in Grafana v6.0.
--- a/pkg/api/frontendsettings.go
+++ b/pkg/api/frontendsettings.go
@@ -166,7 +166,7 @@ func (hs *HTTPServer) getFrontendSettingsMap(c *m.ReqContext) (map[string]interf
 		"externalUserMngLinkUrl":     setting.ExternalUserMngLinkUrl,
 		"externalUserMngLinkName":    setting.ExternalUserMngLinkName,
 		"viewersCanEdit":             setting.ViewersCanEdit,
-		"disableSanitizeInput":       hs.Cfg.DisableSanitizeInput,
+		"disableSanitizeHtml":        hs.Cfg.DisableSanitizeHtml,
 		"buildInfo": map[string]interface{}{
 			"version":       setting.BuildVersion,
 			"commit":        setting.BuildCommit,

--- a/pkg/setting/setting.go
+++ b/pkg/setting/setting.go
@@ -90,7 +90,6 @@ var (
 	EmailCodeValidMinutes            int
 	DataProxyWhiteList               map[string]bool
 	DisableBruteForceLoginProtection bool
-	DisableSanitizeInput             bool
 	// Snapshots
 	ExternalSnapshotUrl   string
@@ -223,7 +222,7 @@ type Cfg struct {
 	MetricsEndpointBasicAuthUsername string
 	MetricsEndpointBasicAuthPassword string
 	EnableAlphaPanels                bool
-	DisableSanitizeInput             bool
+	DisableSanitizeHtml              bool
 	EnterpriseLicensePath            string
 }
@@ -711,7 +710,7 @@ func (cfg *Cfg) Load(args *CommandLineArgs) error {
 	panels := iniFile.Section("panels")
 	cfg.EnableAlphaPanels = panels.Key("enable_alpha").MustBool(false)
-	cfg.DisableSanitizeInput = panels.Key("sanitize_input_disabled").MustBool(false)
+	cfg.DisableSanitizeHtml = panels.Key("disable_sanitize_html").MustBool(false)
 	cfg.readSessionConfig()
 	cfg.readSmtpSettings()

--- a/public/app/core/config.ts
+++ b/public/app/core/config.ts
@@ -35,7 +35,7 @@ export class Settings {
  loginHint: any;
  loginError: any;
  viewersCanEdit: boolean;
-  disableSanitizeInput: boolean;
+  disableSanitizeHtml: boolean;
  constructor(options: Settings) {
    const defaults = {
@@ -53,7 +53,7 @@ export class Settings {
        isEnterprise: false,
      },
      viewersCanEdit: false,
-      disableSanitizeInput: false
+      disableSanitizeHtml: false
    };
    _.extend(this, defaults, options);

--- a/public/app/plugins/panel/text/module.ts
+++ b/public/app/plugins/panel/text/module.ts
@@ -92,8 +92,7 @@ export class TextPanelCtrl extends PanelCtrl {
  }
  updateContent(html: string) {
-    const { disableSanitizeInput } = config;
+    html = config.disableSanitizeHtml ? html : sanitize(html);
-    html = disableSanitizeInput ? html : sanitize(html);
    try {
      this.content = this.$sce.trustAsHtml(this.templateSrv.replace(html, this.panel.scopedVars));
    } catch (e) {