From 7a4077405e0a5299d0850cd523793d64aa169057 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Torkel=20=C3=96degaard?= <torkel.odegaard@gmail.com>
Date: Thu, 27 Nov 2014 14:46:01 +0100
Subject: [PATCH] Annotations: added html sanitation to prevent markup
 injection/XSS, Closes #1121

---
 src/app/app.js                       |  2 ++
 src/app/components/require.config.js |  8 +++-----
 src/app/services/annotationsSrv.js   | 11 +++++++----
 src/test/test-main.js                |  8 +++-----
 4 files changed, 15 insertions(+), 14 deletions(-)

diff --git a/src/app/app.js b/src/app/app.js
index bc5ece75eda..86e5c8e3bcc 100644
--- a/src/app/app.js
+++ b/src/app/app.js
@@ -9,6 +9,7 @@ define([
   'config',
   'bootstrap',
   'angular-route',
+  'angular-sanitize',
   'angular-strap',
   'angular-dragdrop',
   'extend-jquery',
@@ -61,6 +62,7 @@ function (angular, $, _, appLevelRequire, config) {
 
   var apps_deps = [
     'ngRoute',
+    'ngSanitize',
     '$strap.directives',
     'ang-drag-drop',
     'grafana',
diff --git a/src/app/components/require.config.js b/src/app/components/require.config.js
index 882583083c6..dacd6fc03d1 100644
--- a/src/app/components/require.config.js
+++ b/src/app/components/require.config.js
@@ -17,6 +17,7 @@ require.config({
     filesaver:                '../vendor/filesaver',
     angular:                  '../vendor/angular/angular',
     'angular-route':          '../vendor/angular/angular-route',
+    'angular-sanitize':       '../vendor/angular/angular-sanitize',
     'angular-dragdrop':       '../vendor/angular/angular-dragdrop',
     'angular-strap':          '../vendor/angular/angular-strap',
     timepicker:               '../vendor/angular/timepicker',
@@ -86,15 +87,12 @@ require.config({
     'jquery.flot.time':     ['jquery', 'jquery.flot'],
     'jquery.flot.crosshair':['jquery', 'jquery.flot'],
     'jquery.flot.fillbelow':['jquery', 'jquery.flot'],
-    'angular-cookies':      ['angular'],
     'angular-dragdrop':     ['jquery', 'angular'],
-    'angular-loader':       ['angular'],
     'angular-mocks':        ['angular'],
-    'angular-resource':     ['angular'],
+    'angular-sanitize':     ['angular'],
     'angular-route':        ['angular'],
-    'angular-touch':        ['angular'],
-    'bindonce':             ['angular'],
     'angular-strap':        ['angular', 'bootstrap','timepicker', 'datepicker'],
+    'bindonce':             ['angular'],
 
     timepicker:             ['jquery', 'bootstrap'],
     datepicker:             ['jquery', 'bootstrap'],
diff --git a/src/app/services/annotationsSrv.js b/src/app/services/annotationsSrv.js
index fdc5e9ca745..68b5c85b5dd 100644
--- a/src/app/services/annotationsSrv.js
+++ b/src/app/services/annotationsSrv.js
@@ -7,7 +7,7 @@ define([
 
   var module = angular.module('grafana.services');
 
-  module.service('annotationsSrv', function(datasourceSrv, $q, alertSrv, $rootScope) {
+  module.service('annotationsSrv', function(datasourceSrv, $q, alertSrv, $rootScope, $sanitize) {
     var promiseCached;
     var list = [];
     var timezone;
@@ -63,9 +63,11 @@ define([
     }
 
     function addAnnotation(options) {
-      var tooltip = "<small><b>" + options.title + "</b><br/>";
+      var title = $sanitize(options.title);
+      var tooltip = "<small><b>" + title + "</b><br/>";
       if (options.tags) {
-        tooltip += '<span class="tag label label-tag">' + (options.tags || '') + '</span><br/>';
+        var tags = $sanitize(options.tags);
+        tooltip += '<span class="tag label label-tag">' + (tags || '') + '</span><br/>';
       }
 
       if (timezone === 'browser') {
@@ -76,7 +78,8 @@ define([
       }
 
       if (options.text) {
-        tooltip += options.text.replace(/\n/g, '<br/>');
+        var text = $sanitize(options.text);
+        tooltip += text.replace(/\n/g, '<br/>');
       }
 
       tooltip += "</small>";
diff --git a/src/test/test-main.js b/src/test/test-main.js
index 63d70182aa5..0bd14949b33 100644
--- a/src/test/test-main.js
+++ b/src/test/test-main.js
@@ -18,6 +18,7 @@ require.config({
 
     angular:               '../vendor/angular/angular',
     'angular-route':       '../vendor/angular/angular-route',
+    'angular-sanitize':    '../vendor/angular/angular-sanitize',
     angularMocks:          '../vendor/angular/angular-mocks',
     'angular-dragdrop':       '../vendor/angular/angular-dragdrop',
     'angular-strap':          '../vendor/angular/angular-strap',
@@ -80,14 +81,11 @@ require.config({
     'jquery.flot.fillbelow':['jquery', 'jquery.flot'],
 
     'angular-route':        ['angular'],
-    'angular-cookies':      ['angular'],
+    'angular-sanitize':     ['angular'],
     'angular-dragdrop':     ['jquery', 'angular'],
-    'angular-loader':       ['angular'],
     'angular-mocks':        ['angular'],
-    'angular-resource':     ['angular'],
-    'angular-touch':        ['angular'],
-    'bindonce':             ['angular'],
     'angular-strap':        ['angular', 'bootstrap','timepicker', 'datepicker'],
+    'bindonce':             ['angular'],
 
     'bootstrap-tagsinput':          ['jquery'],