mirror of
https://github.com/grafana/grafana.git
synced 2025-02-25 18:55:37 -06:00
Fixed XSS issue with file based dashboards, was really casued by an issue with alertSrv accepting html in message alerts
This commit is contained in:
parent
5175cf70ef
commit
d10ce90936
@ -76,7 +76,7 @@ function (angular, _, kbn, moment, $) {
|
||||
}
|
||||
return result.data;
|
||||
},function() {
|
||||
$scope.appEvent('alert-error', ["Dashboard load failed", "Could not load <i>dashboards/"+file+"</i>. Please make sure it exists"]);
|
||||
$scope.appEvent('alert-error', ["Dashboard load failed", "Could not load "+file+". Please make sure it exists"]);
|
||||
return false;
|
||||
});
|
||||
};
|
||||
|
@ -29,7 +29,7 @@ function (angular, _) {
|
||||
this.set = function(title,text,severity,timeout) {
|
||||
var newAlert = {
|
||||
title: title || '',
|
||||
text: $sce.trustAsHtml(text || ''),
|
||||
text: text || '',
|
||||
severity: severity || 'info',
|
||||
};
|
||||
|
||||
|
@ -35,7 +35,7 @@
|
||||
<i class="fa fa-times-circle"></i>
|
||||
</button>
|
||||
<div class="alert-title">{{alert.title}}</div>
|
||||
<div ng-bind-html='alert.text'></div>
|
||||
<div ng-bind='alert.text'></div>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user