-
Notifications
You must be signed in to change notification settings - Fork 12k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
XSS: Option to disable and / or sanitize html in text panels #4117
Comments
This issue actually happened on our grafana. We write some urls to elastic search, then printed as legend in grafana, then XSS happens. This xss vulnerability can be used as a penetration attacks method. |
@jokerlee what version of Grafana are you using? The graph legend html encodes the series name so the XSS should not be possible in that case |
Any updates or plans on fixing this? |
I would also like to see this fixed, including as a configurable option. |
Any updates on this? |
Text panels can contain any html and therefore pose an XSS security problem.
Grafana should come with a backend option to disable and or sanitize html in text panels.
The text was updated successfully, but these errors were encountered: