TextPanel: Fixes issue with template variable value not properly html escaped (#20588)

* sanitize html after replacing variables * TextPanel: Always html escape variable values

TextPanel: Fixes issue with template variable value not properly html escaped (#20588)
* sanitize html after replacing variables * TextPanel: Always html escape variable values
f47759b9 · Torkel Ödegaard · GitHub · 11304b14 · f47759b9 · f47759b9
Commit f47759b9 authored Nov 22, 2019 by Torkel Ödegaard Committed by GitHub Nov 22, 2019
Showing with 20 additions and 5 deletions

public/app/features/templating/specs/template_srv.test.ts
+8 -0

public/app/features/templating/template_srv.ts
+7 -0

public/app/plugins/panel/text/module.ts
+3 -3

public/app/plugins/panel/text2/TextPanel.tsx
+2 -2

No files found.
--- a/public/app/features/templating/specs/template_srv.test.ts
+++ b/public/app/features/templating/specs/template_srv.test.ts
@@ -268,6 +268,14 @@ describe('templateSrv', () => {
    });
  });

+  describe('html format', () => {
+    it('should encode values html escape sequences', () => {
+      initTemplateSrv([{ type: 'query', name: 'test', current: { value: '<script>alert(asd)</script>' } }]);
+      const target = _templateSrv.replace('$test', {}, 'html');
+      expect(target).toBe('&lt;script&gt;alert(asd)&lt;/script&gt;');
+    });
+  });
+
  describe('format variable to string values', () => {
    it('single value should return value', () => {
      const result = _templateSrv.formatValue('test');

--- a/public/app/features/templating/template_srv.ts
+++ b/public/app/features/templating/template_srv.ts
 import kbn from 'app/core/utils/kbn';
 import _ from 'lodash';
 import { variableRegex } from 'app/features/templating/variable';
+import { escapeHtml } from 'app/core/utils/text';
 import { ScopedVars, TimeRange } from '@grafana/data';

 function luceneEscape(value: string) {
@@ -165,6 +166,12 @@ export class TemplateSrv {
        }
        return value;
      }
+      case 'html': {
+        if (_.isArray(value)) {
+          return escapeHtml(value.join(', '));
+        }
+        return escapeHtml(value);
+      }
      case 'json': {
        return JSON.stringify(value);
      }

--- a/public/app/plugins/panel/text/module.ts
+++ b/public/app/plugins/panel/text/module.ts
@@ -89,13 +89,13 @@ export class TextPanelCtrl extends PanelCtrl {
  }

  updateContent(html: string) {
-    html = config.disableSanitizeHtml ? html : sanitize(html);
    try {
-      this.content = this.$sce.trustAsHtml(this.templateSrv.replace(html, this.panel.scopedVars));
+      html = this.templateSrv.replace(html, this.panel.scopedVars, 'html');
    } catch (e) {
      console.log('Text panel error: ', e);
-      this.content = this.$sce.trustAsHtml(html);
    }
+
+    this.content = this.$sce.trustAsHtml(config.disableSanitizeHtml ? html : sanitize(html));
  }
 }


--- a/public/app/plugins/panel/text2/TextPanel.tsx
+++ b/public/app/plugins/panel/text2/TextPanel.tsx
@@ -41,9 +41,9 @@ export class TextPanel extends PureComponent<Props, State> {
  prepareHTML(html: string): string {
    const { replaceVariables } = this.props;

-    html = config.disableSanitizeHtml ? html : sanitize(html);
+    html = replaceVariables(html, {}, 'html');

-    return replaceVariables(html);
+    return config.disableSanitizeHtml ? html : sanitize(html);
  }

  prepareText(content: string): string {