Annotations: added html sanitation to prevent markup injection/XSS, Closes #1121

src/app/app.js

@@ -9,6 +9,7 @@ define([
   'config',
   'bootstrap',
   'angular-route',
+  'angular-sanitize',
   'angular-strap',
   'angular-dragdrop',
   'extend-jquery',
@@ -61,6 +62,7 @@ function (angular, $, _, appLevelRequire, config) {
 
   var apps_deps = [
     'ngRoute',
+    'ngSanitize',
     '$strap.directives',
     'ang-drag-drop',
     'grafana',

src/app/components/require.config.js

@@ -17,6 +17,7 @@ require.config({
     filesaver:                '../vendor/filesaver',
     angular:                  '../vendor/angular/angular',
     'angular-route':          '../vendor/angular/angular-route',
+    'angular-sanitize':       '../vendor/angular/angular-sanitize',
     'angular-dragdrop':       '../vendor/angular/angular-dragdrop',
     'angular-strap':          '../vendor/angular/angular-strap',
     timepicker:               '../vendor/angular/timepicker',
@@ -86,15 +87,12 @@ require.config({
     'jquery.flot.time':     ['jquery', 'jquery.flot'],
     'jquery.flot.crosshair':['jquery', 'jquery.flot'],
     'jquery.flot.fillbelow':['jquery', 'jquery.flot'],
-    'angular-cookies':      ['angular'],
     'angular-dragdrop':     ['jquery', 'angular'],
-    'angular-loader':       ['angular'],
     'angular-mocks':        ['angular'],
-    'angular-resource':     ['angular'],
+    'angular-sanitize':     ['angular'],
     'angular-route':        ['angular'],
-    'angular-touch':        ['angular'],
-    'bindonce':             ['angular'],
     'angular-strap':        ['angular', 'bootstrap','timepicker', 'datepicker'],
+    'bindonce':             ['angular'],
 
     timepicker:             ['jquery', 'bootstrap'],
     datepicker:             ['jquery', 'bootstrap'],

src/app/services/annotationsSrv.js

@@ -7,7 +7,7 @@ define([
 
   var module = angular.module('grafana.services');
 
-  module.service('annotationsSrv', function(datasourceSrv, $q, alertSrv, $rootScope) {
+  module.service('annotationsSrv', function(datasourceSrv, $q, alertSrv, $rootScope, $sanitize) {
     var promiseCached;
     var list = [];
     var timezone;
@@ -63,9 +63,11 @@ define([
     }
 
     function addAnnotation(options) {
-      var tooltip = "<small><b>" + options.title + "</b><br/>";
+      var title = $sanitize(options.title);
+      var tooltip = "<small><b>" + title + "</b><br/>";
       if (options.tags) {
-        tooltip += '<span class="tag label label-tag">' + (options.tags || '') + '</span><br/>';
+        var tags = $sanitize(options.tags);
+        tooltip += '<span class="tag label label-tag">' + (tags || '') + '</span><br/>';
       }
 
       if (timezone === 'browser') {
@@ -76,7 +78,8 @@ define([
       }
 
       if (options.text) {
-        tooltip += options.text.replace(/\n/g, '<br/>');
+        var text = $sanitize(options.text);
+        tooltip += text.replace(/\n/g, '<br/>');
       }
 
       tooltip += "</small>";

src/test/test-main.js

@@ -18,6 +18,7 @@ require.config({
 
     angular:               '../vendor/angular/angular',
     'angular-route':       '../vendor/angular/angular-route',
+    'angular-sanitize':    '../vendor/angular/angular-sanitize',
     angularMocks:          '../vendor/angular/angular-mocks',
     'angular-dragdrop':       '../vendor/angular/angular-dragdrop',
     'angular-strap':          '../vendor/angular/angular-strap',
@@ -80,14 +81,11 @@ require.config({
     'jquery.flot.fillbelow':['jquery', 'jquery.flot'],
 
     'angular-route':        ['angular'],
-    'angular-cookies':      ['angular'],
+    'angular-sanitize':     ['angular'],
     'angular-dragdrop':     ['jquery', 'angular'],
-    'angular-loader':       ['angular'],
     'angular-mocks':        ['angular'],
-    'angular-resource':     ['angular'],
-    'angular-touch':        ['angular'],
-    'bindonce':             ['angular'],
     'angular-strap':        ['angular', 'bootstrap','timepicker', 'datepicker'],
+    'bindonce':             ['angular'],
 
     'bootstrap-tagsinput':          ['jquery'],