fix(annotations): Fixed issue when html sanitizer failes for title to annotation…

fix(annotations): Fixed issue when html sanitizer failes for title to annotation body, now fallbacks to html escaping title and text, fixes #2563

fix(annotations): Fixed issue when html sanitizer failes for title to annotation…
fix(annotations): Fixed issue when html sanitizer failes for title to annotation body, now fallbacks to html escaping title and text, fixes #2563
8f35683c · Torkel Ödegaard · 30cd782e · 8f35683c · 8f35683c · 8f35683c
Commit 8f35683c authored Aug 21, 2015 by Torkel Ödegaard
Hide whitespace changes
Inline Side-by-side

Showing with 15 additions and 3 deletions

CHANGELOG.md
+1 -0

public/app/directives/annotationTooltip.js
+13 -2

public/app/features/annotations/annotationsSrv.js
+1 -1

No files found.
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -14,6 +14,7 @@ it allows you to add queries of differnet data source types & instances to the s
 - [Issue #2568](https://github.com/grafana/grafana/issues/2568). AuthProxy: Fix for server side rendering of panel when using auth proxy
 - [Issue #2490](https://github.com/grafana/grafana/issues/2490). Graphite: Dashboard import was broken in 2.1 and 2.1.1, working now
 - [Issue #2565](https://github.com/grafana/grafana/issues/2565). TimePicker: Fix for when you applied custom time range it did not refreh dashboard
+- [Issue #2563](https://github.com/grafana/grafana/issues/2563). Annotations: Fixed issue when html sanitizer failes for title to annotation body, now fallbacks to html escaping title and text

 **Breaking Changes**
 - Notice to makers/users of custom data sources, there is a minor breaking change in 2.2 that

--- a/public/app/directives/annotationTooltip.js
+++ b/public/app/directives/annotationTooltip.js
@@ -9,17 +9,28 @@ function (angular, $, _) {
  angular
  .module('grafana.directives')
  .directive('annotationTooltip', function($sanitize, dashboardSrv, $compile) {
+
+    function sanitizeString(str) {
+      try {
+        return $sanitize(str);
+      }
+      catch(err) {
+        console.log('Could not sanitize annotation string, html escaping instead');
+        return _.escape(str);
+      }
+    }
+
    return {
      link: function (scope, element) {
        var event = scope.event;
-        var title = $sanitize(event.title);
+        var title = sanitizeString(event.title);
        var dashboard = dashboardSrv.getCurrent();
        var time = '<i>' + dashboard.formatDate(event.min) + '</i>';

        var tooltip = '<div class="graph-tooltip small"><div class="graph-tooltip-time">' + title + ' ' + time + '</div> ' ;

        if (event.text) {
-          var text = $sanitize(event.text);
+          var text = sanitizeString(event.text);
          tooltip += text.replace(/\n/g, '<br>') + '<br>';
        }


--- a/public/app/features/annotations/annotationsSrv.js
+++ b/public/app/features/annotations/annotationsSrv.js
@@ -62,7 +62,7 @@ define([
        min: options.time,
        max: options.time,
        eventType: options.annotation.name,
-        title: options.title,
+        title: 'Torkel <test@asd.com>',//  options.title,
        tags: options.tags,
        text: options.text,
        score: 1