IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #15005 from grafana/xss-filter-allow-class-style

Browse Source 
XSS sanitizer allows class and style attributes
This commit is contained in:
Torkel Ödegaard 2019-01-23 12:06:57 +01:00 committed by GitHub
commit d9f11fa658
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 17 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
public/app/core/utils/text.ts
View File

@ -44,9 +44,25 @@ export function findMatchesInText(haystack: string, needle: string): TextMatch[]
return matches; return matches;
} }
const XSSWL = Object.keys(xss.whiteList).reduce((acc, element) => {
acc[element] = xss.whiteList[element].concat(['class', 'style']);
return acc;
}, {});
const sanitizeXSS = new xss.FilterXSS({
whiteList: XSSWL
});
/**
* Returns string safe from XSS attacks.
*
* Even though we allow the style-attribute, there's still default filtering applied to it
* Info: https://github.com/leizongmin/js-xss#customize-css-filter
* Whitelist: https://github.com/leizongmin/js-css-filter/blob/master/lib/default.js
*/
export function sanitize (unsanitizedString: string): string { export function sanitize (unsanitizedString: string): string {
try { try {
return xss(unsanitizedString); return sanitizeXSS.process(unsanitizedString);
} catch (error) { } catch (error) {
console.log('String could not be sanitized', unsanitizedString); console.log('String could not be sanitized', unsanitizedString);
return unsanitizedString; return unsanitizedString;