IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

TextPanel: Fixes issue with template variable value not properly html escaped (#20588)

Browse Source 
* sanitize html after replacing variables

* TextPanel: Always html escape variable values
This commit is contained in:
Torkel Ödegaard 2019-11-22 10:28:54 +01:00 committed by GitHub
parent 11304b14b6
commit f47759b98e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 20 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
public/app/features/templating/specs/template_srv.test.ts
View File

@ -268,6 +268,14 @@ describe('templateSrv', () => {
}); });
}); });
describe('html format', () => {
it('should encode values html escape sequences', () => {
initTemplateSrv([{ type: 'query', name: 'test', current: { value: '<script>alert(asd)</script>' } }]);
const target = _templateSrv.replace('$test', {}, 'html');
expect(target).toBe('&lt;script&gt;alert(asd)&lt;/script&gt;');
});
});
describe('format variable to string values', () => { describe('format variable to string values', () => {
it('single value should return value', () => { it('single value should return value', () => {
const result = _templateSrv.formatValue('test'); const result = _templateSrv.formatValue('test');

7
public/app/features/templating/template_srv.ts
View File

@ -1,6 +1,7 @@
import kbn from 'app/core/utils/kbn'; import kbn from 'app/core/utils/kbn';
import _ from 'lodash'; import _ from 'lodash';
import { variableRegex } from 'app/features/templating/variable'; import { variableRegex } from 'app/features/templating/variable';
import { escapeHtml } from 'app/core/utils/text';
import { ScopedVars, TimeRange } from '@grafana/data'; import { ScopedVars, TimeRange } from '@grafana/data';
function luceneEscape(value: string) { function luceneEscape(value: string) {
@ -165,6 +166,12 @@ export class TemplateSrv {
} }
return value; return value;
} }
case 'html': {
if (_.isArray(value)) {
return escapeHtml(value.join(', '));
}
return escapeHtml(value);
}
case 'json': { case 'json': {
return JSON.stringify(value); return JSON.stringify(value);
} }

6
public/app/plugins/panel/text/module.ts
View File

@ -89,13 +89,13 @@ export class TextPanelCtrl extends PanelCtrl {
} }
updateContent(html: string) { updateContent(html: string) {
html = config.disableSanitizeHtml ? html : sanitize(html);
try { try {
this.content = this.$sce.trustAsHtml(this.templateSrv.replace(html, this.panel.scopedVars)); html = this.templateSrv.replace(html, this.panel.scopedVars, 'html');
} catch (e) { } catch (e) {
console.log('Text panel error: ', e); console.log('Text panel error: ', e);
this.content = this.$sce.trustAsHtml(html);
} }
this.content = this.$sce.trustAsHtml(config.disableSanitizeHtml ? html : sanitize(html));
} }
} }

4
public/app/plugins/panel/text2/TextPanel.tsx
View File

@ -41,9 +41,9 @@ export class TextPanel extends PureComponent<Props, State> {
prepareHTML(html: string): string { prepareHTML(html: string): string {
const { replaceVariables } = this.props; const { replaceVariables } = this.props;
html = config.disableSanitizeHtml ? html : sanitize(html); html = replaceVariables(html, {}, 'html');
return replaceVariables(html); return config.disableSanitizeHtml ? html : sanitize(html);
} }
prepareText(content: string): string { prepareText(content: string): string {