Fixed XSS issue with file based dashboards, was really casued by an issue with…

Fixed XSS issue with file based dashboards, was really casued by an issue with alertSrv accepting html in message alerts

Fixed XSS issue with file based dashboards, was really casued by an issue with…
Fixed XSS issue with file based dashboards, was really casued by an issue with alertSrv accepting html in message alerts
d10ce909 · Torkel Ödegaard · 5175cf70 · d10ce909 · d10ce909 · d10ce909
Commit d10ce909 authored Apr 29, 2015 by Torkel Ödegaard
Show whitespace changes
Inline Side-by-side

Showing with 3 additions and 3 deletions

public/app/routes/dashLoadControllers.js
+1 -1

public/app/services/alertSrv.js
+1 -1

public/views/index.html
+1 -1

No files found.
--- a/public/app/routes/dashLoadControllers.js
+++ b/public/app/routes/dashLoadControllers.js
@@ -76,7 +76,7 @@ function (angular, _, kbn, moment, $) {
        }
        return result.data;
      },function() {
-        $scope.appEvent('alert-error', ["Dashboard load failed", "Could not load <i>dashboards/"+file+"</i>. Please make sure it exists"]);
+        $scope.appEvent('alert-error', ["Dashboard load failed", "Could not load "+file+". Please make sure it exists"]);
        return false;
      });
    };

--- a/public/app/services/alertSrv.js
+++ b/public/app/services/alertSrv.js
@@ -29,7 +29,7 @@ function (angular, _) {
    this.set = function(title,text,severity,timeout) {
      var newAlert = {
        title: title || '',
-        text: $sce.trustAsHtml(text || ''),
+        text: text || '',
        severity: severity || 'info',
      };


--- a/public/views/index.html
+++ b/public/views/index.html
@@ -35,7 +35,7 @@
 						<i class="fa fa-times-circle"></i>
 					</button>
 					<div class="alert-title">{{alert.title}}</div>
-					<div ng-bind-html='alert.text'></div>
+					<div ng-bind='alert.text'></div>
 				</div>
 			</div>