XSS: Fixed history XSS issue (#22680)

2025-02-25 18:55:37 -06:00 · 2020-03-10 14:56:27 +01:00 · 2020-03-10 14:56:27 +01:00 · da37f4c83f
commit da37f4c83f
parent cd012bdfb4
2 changed files with 5 additions and 5 deletions
--- a/pkg/components/dashdiffs/formatter_basic.go
+++ b/pkg/components/dashdiffs/formatter_basic.go
@ -339,11 +339,11 @@ var (

 		<!-- Overview -->
 		{{ if .Old }}
-			<div class="diff-label">{{ .Old }}</div>
+			<div class="diff-label" ng-non-bindable>{{ .Old }}</div>
 			<i class="diff-arrow fa fa-long-arrow-right"></i>
 		{{ end }}
 		{{ if .New }}
-				<div class="diff-label">{{ .New }}</div>
+				<div class="diff-label" ng-non-bindable>{{ .New }}</div>
 		{{ end }}

 		{{ if .LineStart }}
@ -380,11 +380,11 @@ var (

 		<div class="diff-change-item">
 			{{ if .Old }}
-				<div class="diff-label">{{ .Old }}</div>
+				<div class="diff-label" ng-non-bindable>{{ .Old }}</div>
 				<i class="diff-arrow fa fa-long-arrow-right"></i>
 			{{ end }}
 			{{ if .New }}
-					<div class="diff-label">{{ .New }}</div>
+					<div class="diff-label" ng-non-bindable>{{ .New }}</div>
 			{{ end }}
 		</div>

--- a/pkg/components/dashdiffs/formatter_json.go
+++ b/pkg/components/dashdiffs/formatter_json.go
@ -59,7 +59,7 @@ var (
 	<span class="diff-line-number">
 		{{if .RightLine }}{{ .RightLine }}{{ end }}
 	</span>
-	<span class="diff-value diff-indent-{{ .Indent }}" title="{{ .Text }}">
+	<span class="diff-value diff-indent-{{ .Indent }}" title="{{ .Text }}" ng-non-bindable>
 		{{ .Text }}
 	</span>
 	<span class="diff-line-icon">{{ ctos .Change }}</span>