XSS: Fixed history XSS issue (#22680)

da37f4c8 · Torkel Ödegaard · GitHub · cd012bdf · da37f4c8 · da37f4c8
Commit da37f4c8 authored Mar 10, 2020 by Torkel Ödegaard Committed by GitHub Mar 10, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 5 deletions

pkg/components/dashdiffs/formatter_basic.go
+4 -4

pkg/components/dashdiffs/formatter_json.go
+1 -1

No files found.
--- a/pkg/components/dashdiffs/formatter_basic.go
+++ b/pkg/components/dashdiffs/formatter_basic.go
@@ -339,11 +339,11 @@ var (

 		<!-- Overview -->
 		{{ if .Old }}
-			<div class="diff-label">{{ .Old }}</div>
+			<div class="diff-label" ng-non-bindable>{{ .Old }}</div>
 			<i class="diff-arrow fa fa-long-arrow-right"></i>
 		{{ end }}
 		{{ if .New }}
-				<div class="diff-label">{{ .New }}</div>
+				<div class="diff-label" ng-non-bindable>{{ .New }}</div>
 		{{ end }}

 		{{ if .LineStart }}
@@ -380,11 +380,11 @@ var (

 		<div class="diff-change-item">
 			{{ if .Old }}
-				<div class="diff-label">{{ .Old }}</div>
+				<div class="diff-label" ng-non-bindable>{{ .Old }}</div>
 				<i class="diff-arrow fa fa-long-arrow-right"></i>
 			{{ end }}
 			{{ if .New }}
-					<div class="diff-label">{{ .New }}</div>
+					<div class="diff-label" ng-non-bindable>{{ .New }}</div>
 			{{ end }}
 		</div>


--- a/pkg/components/dashdiffs/formatter_json.go
+++ b/pkg/components/dashdiffs/formatter_json.go
@@ -59,7 +59,7 @@ var (
 	<span class="diff-line-number">
 		{{if .RightLine }}{{ .RightLine }}{{ end }}
 	</span>
-	<span class="diff-value diff-indent-{{ .Indent }}" title="{{ .Text }}">
+	<span class="diff-value diff-indent-{{ .Indent }}" title="{{ .Text }}" ng-non-bindable>
 		{{ .Text }}
 	</span>
 	<span class="diff-line-icon">{{ ctos .Change }}</span>