Merge pull request #15005 from grafana/xss-filter-allow-class-style

XSS sanitizer allows class and style attributes

Merge pull request #15005 from grafana/xss-filter-allow-class-style
XSS sanitizer allows class and style attributes
d9f11fa6 · Torkel Ödegaard · GitHub · 909d8907 · 5c72e4e6 · d9f11fa6
Commit d9f11fa6 authored Jan 23, 2019 by Torkel Ödegaard Committed by GitHub Jan 23, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 17 additions and 1 deletions

public/app/core/utils/text.ts
+17 -1

No files found.
--- a/public/app/core/utils/text.ts
+++ b/public/app/core/utils/text.ts
@@ -44,9 +44,25 @@ export function findMatchesInText(haystack: string, needle: string): TextMatch[]
  return matches;
 }

+const XSSWL = Object.keys(xss.whiteList).reduce((acc, element) => {
+  acc[element] = xss.whiteList[element].concat(['class', 'style']);
+  return acc;
+}, {});
+
+const sanitizeXSS = new xss.FilterXSS({
+  whiteList: XSSWL
+});
+
+/**
+ * Returns string safe from XSS attacks.
+ *
+ * Even though we allow the style-attribute, there's still default filtering applied to it
+ * Info: https://github.com/leizongmin/js-xss#customize-css-filter
+ * Whitelist: https://github.com/leizongmin/js-css-filter/blob/master/lib/default.js
+ */
 export function sanitize (unsanitizedString: string): string {
  try {
-    return xss(unsanitizedString);
+    return sanitizeXSS.process(unsanitizedString);
  } catch (error) {
    console.log('String could not be sanitized', unsanitizedString);
    return unsanitizedString;