Graph: Fix XSS vulnerability with series overrides (#25401)

* Fix XSS vulnerability with Graph series overrides * Update public/app/plugins/datasource/testdata/partials/query.editor.html
2025-02-03 20:21:01 -06:00 · 2020-06-08 17:13:01 +02:00 · 2020-06-08 17:13:01 +02:00 · c53435f7a7
commit c53435f7a7
parent c7e38fd47f
3 changed files with 5 additions and 4 deletions
--- a/public/app/plugins/datasource/elasticsearch/partials/query.editor.html
+++ b/public/app/plugins/datasource/elasticsearch/partials/query.editor.html
@ -7,7 +7,7 @@
 		</div>
 		<div class="gf-form max-width-15">
 			<label class="gf-form-label query-keyword">Alias</label>
-			<input type="text" class="gf-form-input" ng-model="ctrl.target.alias" spellcheck='false' placeholder="alias patterns" ng-blur="ctrl.refresh()">
+			<input type="text" class="gf-form-input" ng-model="ctrl.target.alias" spellcheck='false' placeholder="alias patterns" ng-blur="ctrl.refresh()" pattern='[^<>&\\"]+'>
 		</div>
 	</div>

--- a/public/app/plugins/datasource/testdata/partials/query.editor.html
+++ b/public/app/plugins/datasource/testdata/partials/query.editor.html
@ -12,7 +12,7 @@
 		</div>
 		<div class="gf-form">
 			<label class="gf-form-label query-keyword width-7">Alias</label>
-			<input type="text" class="gf-form-input width-14" placeholder="optional" ng-model="ctrl.target.alias" ng-change="ctrl.refresh()" ng-model-onblur>
+			<input type="text" class="gf-form-input width-14" placeholder="optional" ng-model="ctrl.target.alias" ng-model-onblur ng-change="ctrl.refresh()" pattern='[^<>&\\"]+'>
 		</div>
 		<div ng-if="ctrl.showLabels" class="gf-form gf-form--grow">
 			<label class="gf-form-label query-keyword width-7">
@ -215,7 +215,7 @@
 		</div>
 	</div>

-	
+
 	<div class="gf-form-inline" ng-if="ctrl.scenario.id === 'arrow'">
 		<div class="gf-form" style="width: 100%;">
 			<textarea type="string"
--- a/public/app/plugins/panel/graph/series_overrides_ctrl.ts
+++ b/public/app/plugins/panel/graph/series_overrides_ctrl.ts
@ -1,5 +1,6 @@
 import _ from 'lodash';
 import coreModule from 'app/core/core_module';
+import { textUtil } from '@grafana/data';

 /** @ngInject */
 export function SeriesOverridesCtrl($scope: any, $element: JQuery, popoverSrv: any) {
@ -79,7 +80,7 @@ export function SeriesOverridesCtrl($scope: any, $element: JQuery, popoverSrv: a

  $scope.getSeriesNames = () => {
    return _.map($scope.ctrl.seriesList, series => {
-      return series.alias;
+      return textUtil.escapeHtml(series.alias);
    });
  };