Sanitize dashboard name input to prevent XSS attack

webapp/graphite/dashboard/views.py

@@ -14,7 +14,7 @@
 from graphite.dashboard.models import Dashboard, Template
 from graphite.dashboard.send_graph import send_graph_email
 from graphite.render.views import renderView
-from graphite.util import json
+from graphite.util import json, sanitize
 from graphite.user_util import isAuthenticated
 
 fieldRegex = re.compile(r'<([^>]+)>')
@@ -224,9 +224,15 @@ def getPermissions(user):
 def save(request, name):
   if 'change' not in getPermissions(request.user):
     return json_response( dict(error="Must be logged in with appropriate permissions to save") )
+
   # Deserialize and reserialize as a validation step
-  state = str( json.dumps( json.loads( request.POST['state'] ) ) )
+  state = json.loads(request.POST['state'])
+  if state.get("name"):
+    state["name"] = sanitize(state["name"])
+  state = str(json.dumps(state))
 
+  name = sanitize(name)
+
   try:
     dashboard = Dashboard.objects.get(name=name)
   except Dashboard.DoesNotExist:

webapp/graphite/util.py

@@ -29,6 +29,7 @@
 
 from django.conf import settings
 from django.utils.timezone import make_aware
+from django.utils.html import strip_tags
 
 from graphite.compat import HttpResponse
 from graphite.logger import log
@@ -394,3 +395,11 @@ def parseHost(host_string):
 
 def parseHosts(host_strings):
     return [parseHost(host_string) for host_string in host_strings]
+
+
+def sanitize(string):
+  """ 
+  Sanitize input string to prevent XSS vulnerability attack.
+  """
+
+  return strip_tags(string)