Commit c53435f7 by Dominik Prokop Committed by GitHub

Graph: Fix XSS vulnerability with series overrides (#25401)

* Fix XSS vulnerability with Graph series overrides

* Update public/app/plugins/datasource/testdata/partials/query.editor.html
parent c7e38fd4
......@@ -7,7 +7,7 @@
</div>
<div class="gf-form max-width-15">
<label class="gf-form-label query-keyword">Alias</label>
<input type="text" class="gf-form-input" ng-model="ctrl.target.alias" spellcheck='false' placeholder="alias patterns" ng-blur="ctrl.refresh()">
<input type="text" class="gf-form-input" ng-model="ctrl.target.alias" spellcheck='false' placeholder="alias patterns" ng-blur="ctrl.refresh()" pattern='[^<>&\\"]+'>
</div>
</div>
......
......@@ -12,7 +12,7 @@
</div>
<div class="gf-form">
<label class="gf-form-label query-keyword width-7">Alias</label>
<input type="text" class="gf-form-input width-14" placeholder="optional" ng-model="ctrl.target.alias" ng-change="ctrl.refresh()" ng-model-onblur>
<input type="text" class="gf-form-input width-14" placeholder="optional" ng-model="ctrl.target.alias" ng-model-onblur ng-change="ctrl.refresh()" pattern='[^<>&\\"]+'>
</div>
<div ng-if="ctrl.showLabels" class="gf-form gf-form--grow">
<label class="gf-form-label query-keyword width-7">
......
import _ from 'lodash';
import coreModule from 'app/core/core_module';
import { textUtil } from '@grafana/data';
/** @ngInject */
export function SeriesOverridesCtrl($scope: any, $element: JQuery, popoverSrv: any) {
......@@ -79,7 +80,7 @@ export function SeriesOverridesCtrl($scope: any, $element: JQuery, popoverSrv: a
$scope.getSeriesNames = () => {
return _.map($scope.ctrl.seriesList, series => {
return series.alias;
return textUtil.escapeHtml(series.alias);
});
};
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment