IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

TextPanel: Fixes issue with template variable value not properly html escaped (#20588)

Browse Source 
* sanitize html after replacing variables

* TextPanel: Always html escape variable values
This commit is contained in:
Torkel Ödegaard 2019-11-22 10:28:54 +01:00 committed by GitHub
parent 11304b14b6
commit f47759b98e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 20 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
public/app/features/templating/specs/template_srv.test.ts
View File

@ -268,6 +268,14 @@ describe('templateSrv', () => {
});
});
describe('html format', () => {
it('should encode values html escape sequences', () => {
initTemplateSrv([{ type: 'query', name: 'test', current: { value: '<script>alert(asd)</script>' } }]);
const target = _templateSrv.replace('$test', {}, 'html');
expect(target).toBe('&lt;script&gt;alert(asd)&lt;/script&gt;');
});
});
describe('format variable to string values', () => {
it('single value should return value', () => {
const result = _templateSrv.formatValue('test');

7
public/app/features/templating/template_srv.ts
View File

@ -1,6 +1,7 @@
import kbn from 'app/core/utils/kbn';
import _ from 'lodash';
import { variableRegex } from 'app/features/templating/variable';
import { escapeHtml } from 'app/core/utils/text';
import { ScopedVars, TimeRange } from '@grafana/data';
function luceneEscape(value: string) {
@ -165,6 +166,12 @@ export class TemplateSrv {
}
return value;
}
case 'html': {
if (_.isArray(value)) {
return escapeHtml(value.join(', '));
}
return escapeHtml(value);
}
case 'json': {
return JSON.stringify(value);
}

6
public/app/plugins/panel/text/module.ts
View File

@ -89,13 +89,13 @@ export class TextPanelCtrl extends PanelCtrl {
}
updateContent(html: string) {
html = config.disableSanitizeHtml ? html : sanitize(html);
try {
this.content = this.$sce.trustAsHtml(this.templateSrv.replace(html, this.panel.scopedVars));
html = this.templateSrv.replace(html, this.panel.scopedVars, 'html');
} catch (e) {
console.log('Text panel error: ', e);
this.content = this.$sce.trustAsHtml(html);
}
this.content = this.$sce.trustAsHtml(config.disableSanitizeHtml ? html : sanitize(html));
}
}

4
public/app/plugins/panel/text2/TextPanel.tsx
View File

@ -41,9 +41,9 @@ export class TextPanel extends PureComponent<Props, State> {
prepareHTML(html: string): string {
const { replaceVariables } = this.props;
html = config.disableSanitizeHtml ? html : sanitize(html);
html = replaceVariables(html, {}, 'html');
return replaceVariables(html);
return config.disableSanitizeHtml ? html : sanitize(html);
}
prepareText(content: string): string {