fix: form dropdown, escape autocomplete dropdown items, fixes #9089

bf110d02 · Torkel Ödegaard · e91cf28f · bf110d02 · bf110d02
Commit bf110d02 authored Aug 28, 2017 by Torkel Ödegaard
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 2 deletions

public/app/core/components/form_dropdown/form_dropdown.ts
+3 -1

public/app/plugins/datasource/elasticsearch/query_def.js
+1 -1

No files found.
--- a/public/app/core/components/form_dropdown/form_dropdown.ts
+++ b/public/app/core/components/form_dropdown/form_dropdown.ts
@@ -115,7 +115,9 @@ export class FormDropdownCtrl {
      this.optionCache = options;
      // extract texts
-      let optionTexts = _.map(options, 'text');
+      let optionTexts = _.map(options, op => {
+        return _.escape(op.text);
+      });
      // add custom values
      if (this.allowCustom) {

--- a/public/app/plugins/datasource/elasticsearch/query_def.js
+++ b/public/app/plugins/datasource/elasticsearch/query_def.js
@@ -29,7 +29,7 @@ function (_) {
    orderByOptions: [
      {text: "Doc Count",  value: '_count' },
-      {text: "Term value", value: '_term' },
+      {text: "Term value<script>alert('hello')</script>", value: '_term' },
    ],
    orderOptions: [