Fixed XSS issue with file based dashboards, was really casued by an issue with alertSrv accepting html in message alerts

2025-02-25 18:55:37 -06:00 · 2015-04-29 15:50:47 +02:00 · 2015-04-29 15:50:47 +02:00 · d10ce90936
commit d10ce90936
parent 5175cf70ef
3 changed files with 3 additions and 3 deletions
--- a/public/app/routes/dashLoadControllers.js
+++ b/public/app/routes/dashLoadControllers.js
@ -76,7 +76,7 @@ function (angular, _, kbn, moment, $) {
        }
        return result.data;
      },function() {
-        $scope.appEvent('alert-error', ["Dashboard load failed", "Could not load <i>dashboards/"+file+"</i>. Please make sure it exists"]);
+        $scope.appEvent('alert-error', ["Dashboard load failed", "Could not load "+file+". Please make sure it exists"]);
        return false;
      });
    };
--- a/public/app/services/alertSrv.js
+++ b/public/app/services/alertSrv.js
@ -29,7 +29,7 @@ function (angular, _) {
    this.set = function(title,text,severity,timeout) {
      var newAlert = {
        title: title || '',
-        text: $sce.trustAsHtml(text || ''),
+        text: text || '',
        severity: severity || 'info',
      };

--- a/public/views/index.html
+++ b/public/views/index.html
@ -35,7 +35,7 @@
 						<i class="fa fa-times-circle"></i>
 					</button>
 					<div class="alert-title">{{alert.title}}</div>
-					<div ng-bind-html='alert.text'></div>
+					<div ng-bind='alert.text'></div>
 				</div>
 			</div>