Skip to content

Commit

Permalink
[v9.4.x] Fix xss in Graphite functions tooltip (#805)
Browse files Browse the repository at this point in the history 
Fix xss in Graphite functions tooltip (#804)

(cherry picked from commit 87aad3f11836f810ee1fdfee27827e746ef36055)

Co-authored-by: Ludovic Viaud <ludovic.viaud@gmail.com>
  • Loading branch information
@itsmylife @LudoVio @kminehart
2 people authored and kminehart committed Mar 16, 2023
1 parent bb6607d commit ef2eb2b
Showing 1 changed file with 1 addition and 3 deletions.
4 changes: 1 addition & 3 deletions public/app/plugins/datasource/graphite/components/FunctionEditorControls.tsx
View file
Expand Up @@ -11,11 +11,9 @@ export interface FunctionEditorControlsProps {
}

const FunctionDescription = React.lazy(async () => {
// @ts-ignore
const { default: rst2html } = await import(/* webpackChunkName: "rst2html" */ 'rst2html');
return {
default(props: { description?: string }) {
return <div dangerouslySetInnerHTML={{ __html: rst2html(props.description ?? '') }} />;
return <div>{props.description}</div>;
},
};
});
Expand Down

1 comment on commit ef2eb2b

@santikris2003
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't the fix be something like this :
import DOMPurify from 'dompurify';

const FunctionDescription = React.lazy(async () => {
// @ts-ignore
const { default: rst2html } = await import(/* webpackChunkName: "rst2html" */ 'rst2html');
return {
default(props: { description?: string }) {
const sanitizedDescription = DOMPurify.sanitize(props.description ?? '');
return <div dangerouslySetInnerHTML={{ __html: rst2html(sanitizedDescription) }} />;
},
};
});

Please sign in to comment.