Graph: Fix XSS vulnerability with series overrides (#25401)

* Fix XSS vulnerability with Graph series overrides * Update public/app/plugins/datasource/testdata/partials/query.editor.html

Graph: Fix XSS vulnerability with series overrides (#25401)
* Fix XSS vulnerability with Graph series overrides * Update public/app/plugins/datasource/testdata/partials/query.editor.html
c53435f7 · Dominik Prokop · GitHub · c7e38fd4 · c53435f7 · c53435f7
Commit c53435f7 authored Jun 08, 2020 by Dominik Prokop Committed by GitHub Jun 08, 2020
Showing with 5 additions and 4 deletions

public/app/plugins/datasource/elasticsearch/partials/query.editor.html
+1 -1

public/app/plugins/datasource/testdata/partials/query.editor.html
+2 -2

public/app/plugins/panel/graph/series_overrides_ctrl.ts
+2 -1

No files found.
--- a/public/app/plugins/datasource/elasticsearch/partials/query.editor.html
+++ b/public/app/plugins/datasource/elasticsearch/partials/query.editor.html
@@ -7,7 +7,7 @@
 		</div>
 		<div class="gf-form max-width-15">
 			<label class="gf-form-label query-keyword">Alias</label>
-			<input type="text" class="gf-form-input" ng-model="ctrl.target.alias" spellcheck='false' placeholder="alias patterns" ng-blur="ctrl.refresh()">
+			<input type="text" class="gf-form-input" ng-model="ctrl.target.alias" spellcheck='false' placeholder="alias patterns" ng-blur="ctrl.refresh()" pattern='[^<>&\\"]+'>
 		</div>
 	</div>

--- a/public/app/plugins/datasource/testdata/partials/query.editor.html
+++ b/public/app/plugins/datasource/testdata/partials/query.editor.html
@@ -12,7 +12,7 @@
 		</div>
 		<div class="gf-form">
 			<label class="gf-form-label query-keyword width-7">Alias</label>
-			<input type="text" class="gf-form-input width-14" placeholder="optional" ng-model="ctrl.target.alias" ng-change="ctrl.refresh()" ng-model-onblur>
+			<input type="text" class="gf-form-input width-14" placeholder="optional" ng-model="ctrl.target.alias" ng-model-onblur ng-change="ctrl.refresh()" pattern='[^<>&\\"]+'>
 		</div>
 		<div ng-if="ctrl.showLabels" class="gf-form gf-form--grow">
 			<label class="gf-form-label query-keyword width-7">
@@ -215,7 +215,7 @@
 		</div>
 	</div>
 	<div class="gf-form-inline" ng-if="ctrl.scenario.id === 'arrow'">
 		<div class="gf-form" style="width: 100%;">
 			<textarea type="string"

--- a/public/app/plugins/panel/graph/series_overrides_ctrl.ts
+++ b/public/app/plugins/panel/graph/series_overrides_ctrl.ts
 import _ from 'lodash';
 import coreModule from 'app/core/core_module';
+import { textUtil } from '@grafana/data';
 /** @ngInject */
 export function SeriesOverridesCtrl($scope: any, $element: JQuery, popoverSrv: any) {
@@ -79,7 +80,7 @@ export function SeriesOverridesCtrl($scope: any, $element: JQuery, popoverSrv: a
  $scope.getSeriesNames = () => {
    return _.map($scope.ctrl.seriesList, series => {
-      return series.alias;
+      return textUtil.escapeHtml(series.alias);
    });
  };