From f0e61af8e03ca668524bd85ba0417b19f0e12ebf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Torkel=20=C3=96degaard?= Date: Tue, 22 Jan 2019 11:56:35 +0100 Subject: [PATCH] Fixed issues with the sanitizie input in text panels, added docs, renamed config option --- CHANGELOG.md | 7 +++++-- conf/defaults.ini | 2 +- conf/sample.ini | 5 +++++ docs/sources/installation/configuration.md | 11 +++++++++++ pkg/api/frontendsettings.go | 2 +- pkg/setting/setting.go | 5 ++--- public/app/core/config.ts | 4 ++-- public/app/plugins/panel/text/module.ts | 3 +-- 8 files changed, 28 insertions(+), 11 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 54133030127..7f5fed293d5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -26,8 +26,11 @@ * **Prometheus**: Query for annotation always uses 60s step regardless of dashboard range, fixes [#14795](https://github.com/grafana/grafana/issues/14795) ### Breaking changes -* **Text Panel**: The text panel does no longer by default allow unsantizied HTML. [#4117](https://github.com/grafana/grafana/issues/4117). This means that if you have text panels with scripts tags they will no longer work as before. To enable unsafe javascript execution in text panels enable the settings `disable_sanitize_input` -under the section `[panels]` in your Grafana ini file, or set env variable `GF_PANELS_DISABLE_SANITIZE_INPUT=true`. +* **Text Panel**: The text panel does no longer by default allow unsantizied HTML. +* [#4117](https://github.com/grafana/grafana/issues/4117). This means that if you have text panels with scripts tags +* they will no longer work as before. To enable unsafe javascript execution in text panels enable the settings +* `disable_sanitize_html` under the section `[panels]` in your Grafana ini file, or set env variable +* `GF_PANELS_DISABLE_SANITIZE_HTML=true`. # 5.4.3 (2019-01-14) diff --git a/conf/defaults.ini b/conf/defaults.ini index b0de259de19..37e1ee2c7df 100644 --- a/conf/defaults.ini +++ b/conf/defaults.ini @@ -570,7 +570,7 @@ callback_url = [panels] enable_alpha = false -disable_sanitize_input = false +disable_sanitize_html = false [enterprise] license_path = diff --git a/conf/sample.ini b/conf/sample.ini index 014016d45bc..96b92db6f48 100644 --- a/conf/sample.ini +++ b/conf/sample.ini @@ -495,3 +495,8 @@ log_queries = # Path to a valid Grafana Enterprise license.jwt file ;license_path = +[panels] +;enable_alpha = false +# If set to true Grafana will allow script tags in text panels. Not recommended as it enable XSS vulnerabilities. +;disable_sanitize_html = false + diff --git a/docs/sources/installation/configuration.md b/docs/sources/installation/configuration.md index 0e5a55b3c0e..8fa51c88554 100644 --- a/docs/sources/installation/configuration.md +++ b/docs/sources/installation/configuration.md @@ -589,3 +589,14 @@ Default setting for how Grafana handles nodata or null values in alerting. (aler Alert notifications can include images, but rendering many images at the same time can overload the server. This limit will protect the server from render overloading and make sure notifications are sent out quickly. Default value is `5`. + +## [panels] + +### enable_alpha +Set to true if you want to test panels that are not yet ready for general usage. + +### disable_sanitize_html +If set to true Grafana will allow script tags in text panels. Not recommended as it enable XSS vulnerabilities. Default +is false. This settings was introduced in Grafana v6.0. + + diff --git a/pkg/api/frontendsettings.go b/pkg/api/frontendsettings.go index adf7e83325e..ed7054050e4 100644 --- a/pkg/api/frontendsettings.go +++ b/pkg/api/frontendsettings.go @@ -166,7 +166,7 @@ func (hs *HTTPServer) getFrontendSettingsMap(c *m.ReqContext) (map[string]interf "externalUserMngLinkUrl": setting.ExternalUserMngLinkUrl, "externalUserMngLinkName": setting.ExternalUserMngLinkName, "viewersCanEdit": setting.ViewersCanEdit, - "disableSanitizeInput": hs.Cfg.DisableSanitizeInput, + "disableSanitizeHtml": hs.Cfg.DisableSanitizeHtml, "buildInfo": map[string]interface{}{ "version": setting.BuildVersion, "commit": setting.BuildCommit, diff --git a/pkg/setting/setting.go b/pkg/setting/setting.go index 1f9db6fbb78..1e4bc96cd7f 100644 --- a/pkg/setting/setting.go +++ b/pkg/setting/setting.go @@ -90,7 +90,6 @@ var ( EmailCodeValidMinutes int DataProxyWhiteList map[string]bool DisableBruteForceLoginProtection bool - DisableSanitizeInput bool // Snapshots ExternalSnapshotUrl string @@ -223,7 +222,7 @@ type Cfg struct { MetricsEndpointBasicAuthUsername string MetricsEndpointBasicAuthPassword string EnableAlphaPanels bool - DisableSanitizeInput bool + DisableSanitizeHtml bool EnterpriseLicensePath string } @@ -711,7 +710,7 @@ func (cfg *Cfg) Load(args *CommandLineArgs) error { panels := iniFile.Section("panels") cfg.EnableAlphaPanels = panels.Key("enable_alpha").MustBool(false) - cfg.DisableSanitizeInput = panels.Key("sanitize_input_disabled").MustBool(false) + cfg.DisableSanitizeHtml = panels.Key("disable_sanitize_html").MustBool(false) cfg.readSessionConfig() cfg.readSmtpSettings() diff --git a/public/app/core/config.ts b/public/app/core/config.ts index ce7f0fcfe50..395e40e914b 100644 --- a/public/app/core/config.ts +++ b/public/app/core/config.ts @@ -35,7 +35,7 @@ export class Settings { loginHint: any; loginError: any; viewersCanEdit: boolean; - disableSanitizeInput: boolean; + disableSanitizeHtml: boolean; constructor(options: Settings) { const defaults = { @@ -53,7 +53,7 @@ export class Settings { isEnterprise: false, }, viewersCanEdit: false, - disableSanitizeInput: false + disableSanitizeHtml: false }; _.extend(this, defaults, options); diff --git a/public/app/plugins/panel/text/module.ts b/public/app/plugins/panel/text/module.ts index 7d2a0ab0dd0..9c47b8bbe06 100644 --- a/public/app/plugins/panel/text/module.ts +++ b/public/app/plugins/panel/text/module.ts @@ -92,8 +92,7 @@ export class TextPanelCtrl extends PanelCtrl { } updateContent(html: string) { - const { disableSanitizeInput } = config; - html = disableSanitizeInput ? html : sanitize(html); + html = config.disableSanitizeHtml ? html : sanitize(html); try { this.content = this.$sce.trustAsHtml(this.templateSrv.replace(html, this.panel.scopedVars)); } catch (e) {