mirror of
https://github.com/grafana/grafana.git
synced 2024-11-30 12:44:10 -06:00
fix: Use custom whitelist for XSS sanitizer to allow class and style attributes
This commit is contained in:
parent
909d89077d
commit
5c72e4e668
@ -44,9 +44,25 @@ export function findMatchesInText(haystack: string, needle: string): TextMatch[]
|
||||
return matches;
|
||||
}
|
||||
|
||||
const XSSWL = Object.keys(xss.whiteList).reduce((acc, element) => {
|
||||
acc[element] = xss.whiteList[element].concat(['class', 'style']);
|
||||
return acc;
|
||||
}, {});
|
||||
|
||||
const sanitizeXSS = new xss.FilterXSS({
|
||||
whiteList: XSSWL
|
||||
});
|
||||
|
||||
/**
|
||||
* Returns string safe from XSS attacks.
|
||||
*
|
||||
* Even though we allow the style-attribute, there's still default filtering applied to it
|
||||
* Info: https://github.com/leizongmin/js-xss#customize-css-filter
|
||||
* Whitelist: https://github.com/leizongmin/js-css-filter/blob/master/lib/default.js
|
||||
*/
|
||||
export function sanitize (unsanitizedString: string): string {
|
||||
try {
|
||||
return xss(unsanitizedString);
|
||||
return sanitizeXSS.process(unsanitizedString);
|
||||
} catch (error) {
|
||||
console.log('String could not be sanitized', unsanitizedString);
|
||||
return unsanitizedString;
|
||||
|
Loading…
Reference in New Issue
Block a user