Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
systemsmanagement:Ardana:8:CentOS:7.3
grafana
25401-Fix-XSS-vulnerability-with-series-overrid...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 25401-Fix-XSS-vulnerability-with-series-overrides.patch of Package grafana
From 0626158536f9f7985e875c86609c9e0649a560d4 Mon Sep 17 00:00:00 2001 From: Dominik Prokop <dominik.prokop@grafana.com> Date: Fri, 5 Jun 2020 15:53:50 +0200 Subject: [PATCH 1/2] Fix XSS vulnerability with Graph series overrides Edit: refreshed to apply to grafana-6.7.4.tar.gz --- .../datasource/elasticsearch/partials/query.editor.html | 2 +- .../plugins/datasource/testdata/partials/query.editor.html | 4 ++-- public/app/plugins/panel/graph/series_overrides_ctrl.ts | 3 ++- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/public/app/plugins/datasource/elasticsearch/partials/query.editor.html b/public/app/plugins/datasource/elasticsearch/partials/query.editor.html index 48fea594ad69..1100bc44df40 100644 --- a/public/app/plugins/datasource/elasticsearch/partials/query.editor.html +++ b/public/app/plugins/datasource/elasticsearch/partials/query.editor.html @@ -7,7 +7,7 @@ </div> <div class="gf-form max-width-15"> <label class="gf-form-label query-keyword">Alias</label> - <input type="text" class="gf-form-input" ng-model="ctrl.target.alias" spellcheck='false' placeholder="alias patterns" ng-blur="ctrl.refresh()"> + <input type="text" class="gf-form-input" ng-model="ctrl.target.alias" spellcheck='false' placeholder="alias patterns" ng-blur="ctrl.refresh()" pattern='[^<>&\\"]+'> </div> </div> diff --git a/public/app/plugins/datasource/testdata/partials/query.editor.html b/public/app/plugins/datasource/testdata/partials/query.editor.html index e7014def49fa..e1a4ad671cb1 100644 --- a/public/app/plugins/datasource/testdata/partials/query.editor.html +++ b/public/app/plugins/datasource/testdata/partials/query.editor.html @@ -12,7 +12,7 @@ </div> <div class="gf-form"> <label class="gf-form-label query-keyword">Alias</label> - <input type="text" class="gf-form-input width-14" placeholder="optional" ng-model="ctrl.target.alias" ng-change="ctrl.refresh()" ng-model-onblur> + <input type="text" class="gf-form-input width-14" placeholder="optional" ng-model="ctrl.target.alias" ng-model-onblur ng-change="ctrl.refresh()" pattern='[^<>&\\"]+'> </div> <div ng-if="ctrl.showLabels" class="gf-form gf-form--grow"> <label class="gf-form-label query-keyword"> diff --git a/public/app/plugins/panel/graph/series_overrides_ctrl.ts b/public/app/plugins/panel/graph/series_overrides_ctrl.ts index 3b5c18eebb1c..f7db7e045a84 100644 --- a/public/app/plugins/panel/graph/series_overrides_ctrl.ts +++ b/public/app/plugins/panel/graph/series_overrides_ctrl.ts @@ -1,5 +1,6 @@ import _ from 'lodash'; import coreModule from 'app/core/core_module'; +import { textUtil } from '@grafana/data'; /** @ngInject */ export function SeriesOverridesCtrl($scope: any, $element: JQuery, popoverSrv: any) { @@ -79,7 +80,7 @@ export function SeriesOverridesCtrl($scope: any, $element: JQuery, popoverSrv: a $scope.getSeriesNames = () => { return _.map($scope.ctrl.seriesList, series => { - return series.alias; + return textUtil.escapeHtml(series.alias); }); };
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor