Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

XSS: Option to disable and / or sanitize html in text panels #4117

Closed
torkelo opened this issue Feb 22, 2016 · 5 comments · Fixed by #14984
Closed

XSS: Option to disable and / or sanitize html in text panels #4117

torkelo opened this issue Feb 22, 2016 · 5 comments · Fixed by #14984
Assignees
@jschill
Labels
area/panel/common area/security help wanted prio/medium Important over the long term, but may not be staffed and/or may need multiple releases to complete.
Milestone
6.0-beta1

Comments

@torkelo
Copy link
Member

torkelo commented Feb 22, 2016

Text panels can contain any html and therefore pose an XSS security problem.

Grafana should come with a backend option to disable and or sanitize html in text panels.
@torkelo torkelo added prio/medium Important over the long term, but may not be staffed and/or may need multiple releases to complete. area/security area/panel/common help wanted labels Feb 22, 2016
@torkelo torkelo added this to the 4.0 milestone Feb 22, 2016
@torkelo torkelo modified the milestones: 4.1.0, 4.0.0 Oct 19, 2016
@torkelo torkelo removed this from the 4.1.0 milestone Dec 14, 2016
@jokerlee
Copy link

This issue actually happened on our grafana. We write some urls to elastic search, then printed as legend in grafana, then XSS happens. This xss vulnerability can be used as a penetration attacks method.

@jokerlee jokerlee mentioned this issue Jan 23, 2017
Closed
@torkelo
Copy link
Member Author

torkelo commented Jan 23, 2017

@jokerlee what version of Grafana are you using? The graph legend html encodes the series name so the XSS should not be possible in that case

@Pigueiras Pigueiras mentioned this issue Apr 3, 2017
Closed
@tehmaspc
Copy link

Any updates or plans on fixing this?

@michaeltravisuk
Copy link

I would also like to see this fixed, including as a configurable option.

@torkelo torkelo mentioned this issue Apr 12, 2018
Closed
@z0vsky
Copy link

z0vsky commented Dec 3, 2018

Any updates on this?
An attacker (or a malevolent user) having access to a Grafana instance could create a malicious panel as an attack vector to execute arbitrary JavaScript code on victim's browsers.

@torkelo torkelo added this to the 6.0 milestone Jan 4, 2019
@torkelo torkelo modified the milestones: 6.0, 6.0-beta1 Jan 16, 2019
@jschill jschill self-assigned this Jan 17, 2019
@jschill jschill mentioned this issue Jan 22, 2019
Merged
@marefr marefr mentioned this issue Jan 28, 2019
Merged
@torkelo torkelo mentioned this issue Feb 1, 2019
Closed
@noasand noasand mentioned this issue Feb 7, 2019
Closed
@dprokop dprokop mentioned this issue Feb 12, 2019
Closed
@dprokop dprokop mentioned this issue Feb 25, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jschill jschill

Labels
area/panel/common area/security help wanted prio/medium Important over the long term, but may not be staffed and/or may need multiple releases to complete.
Projects
None yet
Milestone
6.0-beta1
7 participants
@torkelo @jschill @tehmaspc @jokerlee @marefr @z0vsky @michaeltravisuk