Merge pull request #14988 from grafana/sanitize-input-fixes

Fixed issues with the sanitizie input in text panels
2024-11-27 11:20:27 -06:00 · 2019-01-22 12:26:51 +01:00 · 2019-01-22 12:26:51 +01:00 · 75e3d90089
commit 75e3d90089
parent caa9a90bfd f0e61af8e0
8 changed files with 28 additions and 11 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -26,8 +26,11 @@
 * **Prometheus**: Query for annotation always uses 60s step regardless of dashboard range, fixes [#14795](https://github.com/grafana/grafana/issues/14795)

 ### Breaking changes
-* **Text Panel**: The text panel does no longer by default allow unsantizied HTML. [#4117](https://github.com/grafana/grafana/issues/4117). This means that if you have text panels with scripts tags they will no longer work as before. To enable unsafe javascript execution in text panels enable the settings `disable_sanitize_input` 
-under the section `[panels]` in your Grafana ini file, or set env variable `GF_PANELS_DISABLE_SANITIZE_INPUT=true`. 
+* **Text Panel**: The text panel does no longer by default allow unsantizied HTML.
+* [#4117](https://github.com/grafana/grafana/issues/4117). This means that if you have text panels with scripts tags
+* they will no longer work as before. To enable unsafe javascript execution in text panels enable the settings
+* `disable_sanitize_html` under the section `[panels]` in your Grafana ini file, or set env variable
+* `GF_PANELS_DISABLE_SANITIZE_HTML=true`.

 # 5.4.3 (2019-01-14)

--- a/conf/defaults.ini
+++ b/conf/defaults.ini
@ -570,7 +570,7 @@ callback_url =

 [panels]
 enable_alpha = false
-disable_sanitize_input = false
+disable_sanitize_html = false

 [enterprise]
 license_path =
--- a/conf/sample.ini
+++ b/conf/sample.ini
@ -495,3 +495,8 @@ log_queries =
 # Path to a valid Grafana Enterprise license.jwt file
 ;license_path =

+[panels]
+;enable_alpha = false
+# If set to true Grafana will allow script tags in text panels. Not recommended as it enable XSS vulnerabilities.
+;disable_sanitize_html = false
+
--- a/docs/sources/installation/configuration.md
+++ b/docs/sources/installation/configuration.md
@ -589,3 +589,14 @@ Default setting for how Grafana handles nodata or null values in alerting. (aler
 Alert notifications can include images, but rendering many images at the same time can overload the server.
 This limit will protect the server from render overloading and make sure notifications are sent out quickly. Default
 value is `5`.
+
+## [panels]
+
+### enable_alpha
+Set to true if you want to test panels that are not yet ready for general usage.
+
+### disable_sanitize_html
+If set to true Grafana will allow script tags in text panels. Not recommended as it enable XSS vulnerabilities. Default
+is false. This settings was introduced in Grafana v6.0.
+
+
--- a/pkg/api/frontendsettings.go
+++ b/pkg/api/frontendsettings.go
@ -166,7 +166,7 @@ func (hs *HTTPServer) getFrontendSettingsMap(c *m.ReqContext) (map[string]interf
 		"externalUserMngLinkUrl":     setting.ExternalUserMngLinkUrl,
 		"externalUserMngLinkName":    setting.ExternalUserMngLinkName,
 		"viewersCanEdit":             setting.ViewersCanEdit,
-		"disableSanitizeInput":       hs.Cfg.DisableSanitizeInput,
+		"disableSanitizeHtml":        hs.Cfg.DisableSanitizeHtml,
 		"buildInfo": map[string]interface{}{
 			"version":       setting.BuildVersion,
 			"commit":        setting.BuildCommit,
--- a/pkg/setting/setting.go
+++ b/pkg/setting/setting.go
@ -90,7 +90,6 @@ var (
 	EmailCodeValidMinutes            int
 	DataProxyWhiteList               map[string]bool
 	DisableBruteForceLoginProtection bool
-	DisableSanitizeInput             bool

 	// Snapshots
 	ExternalSnapshotUrl   string
@ -223,7 +222,7 @@ type Cfg struct {
 	MetricsEndpointBasicAuthUsername string
 	MetricsEndpointBasicAuthPassword string
 	EnableAlphaPanels                bool
-	DisableSanitizeInput             bool
+	DisableSanitizeHtml              bool
 	EnterpriseLicensePath            string
 }

@ -711,7 +710,7 @@ func (cfg *Cfg) Load(args *CommandLineArgs) error {

 	panels := iniFile.Section("panels")
 	cfg.EnableAlphaPanels = panels.Key("enable_alpha").MustBool(false)
-	cfg.DisableSanitizeInput = panels.Key("sanitize_input_disabled").MustBool(false)
+	cfg.DisableSanitizeHtml = panels.Key("disable_sanitize_html").MustBool(false)

 	cfg.readSessionConfig()
 	cfg.readSmtpSettings()
--- a/public/app/core/config.ts
+++ b/public/app/core/config.ts
@ -35,7 +35,7 @@ export class Settings {
  loginHint: any;
  loginError: any;
  viewersCanEdit: boolean;
-  disableSanitizeInput: boolean;
+  disableSanitizeHtml: boolean;

  constructor(options: Settings) {
    const defaults = {
@ -53,7 +53,7 @@ export class Settings {
        isEnterprise: false,
      },
      viewersCanEdit: false,
-      disableSanitizeInput: false
+      disableSanitizeHtml: false
    };

    _.extend(this, defaults, options);
--- a/public/app/plugins/panel/text/module.ts
+++ b/public/app/plugins/panel/text/module.ts
@ -92,8 +92,7 @@ export class TextPanelCtrl extends PanelCtrl {
  }

  updateContent(html: string) {
-    const { disableSanitizeInput } = config;
-    html = disableSanitizeInput ? html : sanitize(html);
+    html = config.disableSanitizeHtml ? html : sanitize(html);
    try {
      this.content = this.$sce.trustAsHtml(this.templateSrv.replace(html, this.panel.scopedVars));
    } catch (e) {