IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

Annotations: added html sanitation to prevent markup injection/XSS, Closes #1121

Browse Source
This commit is contained in:
Torkel Ödegaard 2014-11-27 14:46:01 +01:00
parent 9594effb6c
commit 7a4077405e
4 changed files with 15 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/app/app.js
View File

@ -9,6 +9,7 @@ define([
'config',
'bootstrap',
'angular-route',
'angular-sanitize',
'angular-strap',
'angular-dragdrop',
'extend-jquery',
@ -61,6 +62,7 @@ function (angular, $, _, appLevelRequire, config) {
var apps_deps = [
'ngRoute',
'ngSanitize',
'$strap.directives',
'ang-drag-drop',
'grafana',

8
src/app/components/require.config.js
View File

@ -17,6 +17,7 @@ require.config({
filesaver: '../vendor/filesaver',
angular: '../vendor/angular/angular',
'angular-route': '../vendor/angular/angular-route',
'angular-sanitize': '../vendor/angular/angular-sanitize',
'angular-dragdrop': '../vendor/angular/angular-dragdrop',
'angular-strap': '../vendor/angular/angular-strap',
timepicker: '../vendor/angular/timepicker',
@ -86,15 +87,12 @@ require.config({
'jquery.flot.time': ['jquery', 'jquery.flot'],
'jquery.flot.crosshair':['jquery', 'jquery.flot'],
'jquery.flot.fillbelow':['jquery', 'jquery.flot'],
'angular-cookies': ['angular'],
'angular-dragdrop': ['jquery', 'angular'],
'angular-loader': ['angular'],
'angular-mocks': ['angular'],
'angular-resource': ['angular'],
'angular-sanitize': ['angular'],
'angular-route': ['angular'],
'angular-touch': ['angular'],
'bindonce': ['angular'],
'angular-strap': ['angular', 'bootstrap','timepicker', 'datepicker'],
'bindonce': ['angular'],
timepicker: ['jquery', 'bootstrap'],
datepicker: ['jquery', 'bootstrap'],

11
src/app/services/annotationsSrv.js
View File

@ -7,7 +7,7 @@ define([
var module = angular.module('grafana.services');
module.service('annotationsSrv', function(datasourceSrv, $q, alertSrv, $rootScope) {
module.service('annotationsSrv', function(datasourceSrv, $q, alertSrv, $rootScope, $sanitize) {
var promiseCached;
var list = [];
var timezone;
@ -63,9 +63,11 @@ define([
}
function addAnnotation(options) {
var tooltip = "<small><b>" + options.title + "</b><br/>";
var title = $sanitize(options.title);
var tooltip = "<small><b>" + title + "</b><br/>";
if (options.tags) {
tooltip += '<span class="tag label label-tag">' + (options.tags || '') + '</span><br/>';
var tags = $sanitize(options.tags);
tooltip += '<span class="tag label label-tag">' + (tags || '') + '</span><br/>';
}
if (timezone === 'browser') {
@ -76,7 +78,8 @@ define([
}
if (options.text) {
tooltip += options.text.replace(/\n/g, '<br/>');
var text = $sanitize(options.text);
tooltip += text.replace(/\n/g, '<br/>');
}
tooltip += "</small>";

8
src/test/test-main.js
View File

@ -18,6 +18,7 @@ require.config({
angular: '../vendor/angular/angular',
'angular-route': '../vendor/angular/angular-route',
'angular-sanitize': '../vendor/angular/angular-sanitize',
angularMocks: '../vendor/angular/angular-mocks',
'angular-dragdrop': '../vendor/angular/angular-dragdrop',
'angular-strap': '../vendor/angular/angular-strap',
@ -80,14 +81,11 @@ require.config({
'jquery.flot.fillbelow':['jquery', 'jquery.flot'],
'angular-route': ['angular'],
'angular-cookies': ['angular'],
'angular-sanitize': ['angular'],
'angular-dragdrop': ['jquery', 'angular'],
'angular-loader': ['angular'],
'angular-mocks': ['angular'],
'angular-resource': ['angular'],
'angular-touch': ['angular'],
'bindonce': ['angular'],
'angular-strap': ['angular', 'bootstrap','timepicker', 'datepicker'],
'bindonce': ['angular'],
'bootstrap-tagsinput': ['jquery'],