From d10ce90936cc6f4c53e584f97af39c300e7f6066 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Torkel=20=C3=96degaard?= <torkel.odegaard@gmail.com>
Date: Wed, 29 Apr 2015 15:50:47 +0200
Subject: [PATCH] Fixed XSS issue with file based dashboards, was really casued
 by an issue with alertSrv accepting html in message alerts

---
 public/app/routes/dashLoadControllers.js | 2 +-
 public/app/services/alertSrv.js          | 2 +-
 public/views/index.html                  | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/public/app/routes/dashLoadControllers.js b/public/app/routes/dashLoadControllers.js
index b19b0c9664f..570ce2b18c1 100644
--- a/public/app/routes/dashLoadControllers.js
+++ b/public/app/routes/dashLoadControllers.js
@@ -76,7 +76,7 @@ function (angular, _, kbn, moment, $) {
         }
         return result.data;
       },function() {
-        $scope.appEvent('alert-error', ["Dashboard load failed", "Could not load <i>dashboards/"+file+"</i>. Please make sure it exists"]);
+        $scope.appEvent('alert-error', ["Dashboard load failed", "Could not load "+file+". Please make sure it exists"]);
         return false;
       });
     };
diff --git a/public/app/services/alertSrv.js b/public/app/services/alertSrv.js
index d38c1f4aecc..4a8ef273523 100644
--- a/public/app/services/alertSrv.js
+++ b/public/app/services/alertSrv.js
@@ -29,7 +29,7 @@ function (angular, _) {
     this.set = function(title,text,severity,timeout) {
       var newAlert = {
         title: title || '',
-        text: $sce.trustAsHtml(text || ''),
+        text: text || '',
         severity: severity || 'info',
       };
 
diff --git a/public/views/index.html b/public/views/index.html
index d5dfab06a64..8fb4a93bba6 100644
--- a/public/views/index.html
+++ b/public/views/index.html
@@ -35,7 +35,7 @@
 						<i class="fa fa-times-circle"></i>
 					</button>
 					<div class="alert-title">{{alert.title}}</div>
-					<div ng-bind-html='alert.text'></div>
+					<div ng-bind='alert.text'></div>
 				</div>
 			</div>