Added sanitizer to help text

public/app/features/panel/panel_menu.js

@@ -9,7 +9,7 @@ function (angular, $, _, Tether) {
 
   angular
     .module('grafana.directives')
-    .directive('panelMenu', function($compile, linkSrv) {
+    .directive('panelMenu', function($sanitize, $compile, linkSrv) {
       var linkTemplate =
           '<span class="panel-title drag-handle pointer">' +
             '<span class="icon-gf panel-alert-icon"></span>' +
@@ -19,6 +19,16 @@ function (angular, $, _, Tether) {
             '<span class="panel-time-info" ng-show="ctrl.timeInfo"><i class="fa fa-clock-o"></i> {{ctrl.timeInfo}}</span>' +
           '</span>';
 
+      function sanitizeString(str) {
+        try {
+          return $sanitize(str);
+        }
+        catch(err) {
+          console.log('Could not sanitize annotation string, html escaping instead');
+          return _.escape(str);
+        }
+      }
+
       function createExternalLinkMenu(ctrl) {
         var template = '<div class="panel-menu small">';
         template += '<div class="panel-menu-row">';
@@ -79,6 +89,7 @@ function (angular, $, _, Tether) {
           var $link = $(linkTemplate);
           var $panelLinksBtn = $link.find(".panel-links-btn");
           var $panelContainer = elem.parents(".panel-container");
+          var $panelHelpDrop = $link.find(".panel-help-text");
           var menuScope = null;
           var ctrl = $scope.ctrl;
           var timeout = null;
@@ -93,6 +104,12 @@ function (angular, $, _, Tether) {
             $panelLinksBtn.css({display: showIcon ? 'inline' : 'none'});
           });
 
+          $scope.$watch('ctrl.panel.helpText', function(helpText) {
+            helpText = sanitizeString(helpText);
+            var showIcon = (helpText ? helpText.length > 0 : false) && ctrl.panel.title !== '';
+            $panelHelpDrop.css({display: showIcon ? 'inline' : 'none'});
+          });
+
           function dismiss(time, force) {
             clearTimeout(timeout);
             timeout = null;