Skip to content

HTML injection in panel links (drilldown) #17718

Closed
@torkelo

Description

@torkelo

You can inject image tags in panel drilldown links (via Title & url fields).

There is no script injection as this already sanitized.

But for these fields there is no need to have html here.

Problem is here:
https://github.com/grafana/grafana/blob/master/public/app/features/panel/panel_ctrl.ts#L269

Think using escape function when building the html there would solve it.

Here is where you can replicate it
Screen Shot 2019-06-24 at 10 13 52

Metadata

Metadata

Assignees

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions