TablePabel: Sanitize column link (#21735)

public/app/plugins/panel/table/renderer.ts

@@ -14,6 +14,7 @@ import {
 import { TemplateSrv } from 'app/features/templating/template_srv';
 import { ColumnRender, TableRenderModel, ColumnStyle } from './types';
 import { ColumnOptionsCtrl } from './column_options';
+import { sanitizeUrl } from 'app/core/utils/text';
 
 export class TableRenderer {
   formatters: any[];
@@ -297,13 +298,15 @@ export class TableRenderer {
       scopedVars['__cell'] = { value: value, text: value ? value.toString() : '' };
 
       const cellLink = this.templateSrv.replace(column.style.linkUrl, scopedVars, encodeURIComponent);
+      const sanitizedCellLink = sanitizeUrl(cellLink);
+
       const cellLinkTooltip = this.templateSrv.replace(column.style.linkTooltip, scopedVars);
       const cellTarget = column.style.linkTargetBlank ? '_blank' : '';
 
       cellClasses.push('table-panel-cell-link');
 
       columnHtml += `
-        <a href="${cellLink}" target="${cellTarget}" data-link-tooltip data-original-title="${cellLinkTooltip}" data-placement="right"${cellStyle}>
+        <a href="${sanitizedCellLink}" target="${cellTarget}" data-link-tooltip data-original-title="${cellLinkTooltip}" data-placement="right"${cellStyle}>
           ${value}
         </a>
       `;