IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

Fixed XSS issue with file based dashboards, was really casued by an issue with alertSrv accepting html in message alerts

Browse Source
This commit is contained in:
Torkel Ödegaard 2015-04-29 15:50:47 +02:00
parent 5175cf70ef
commit d10ce90936
3 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
public/app/routes/dashLoadControllers.js
View File

@ -76,7 +76,7 @@ function (angular, _, kbn, moment, $) {
} }
return result.data; return result.data;
},function() { },function() {
$scope.appEvent('alert-error', ["Dashboard load failed", "Could not load <i>dashboards/"+file+"</i>. Please make sure it exists"]); $scope.appEvent('alert-error', ["Dashboard load failed", "Could not load "+file+". Please make sure it exists"]);
return false; return false;
}); });
}; };

2
public/app/services/alertSrv.js
View File

@ -29,7 +29,7 @@ function (angular, _) {
this.set = function(title,text,severity,timeout) { this.set = function(title,text,severity,timeout) {
var newAlert = { var newAlert = {
title: title || '', title: title || '',
text: $sce.trustAsHtml(text || ''), text: text || '',
severity: severity || 'info', severity: severity || 'info',
}; };

2
public/views/index.html
View File

@ -35,7 +35,7 @@
<i class="fa fa-times-circle"></i> <i class="fa fa-times-circle"></i>
</button> </button>
<div class="alert-title">{{alert.title}}</div> <div class="alert-title">{{alert.title}}</div>
<div ng-bind-html='alert.text'></div> <div ng-bind='alert.text'></div>
</div> </div>
</div> </div>