Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security: Fix for dashboard snapshot original dashboard link could contain XSS vulnerability in url #23254

Merged
merged 1 commit into from
Apr 1, 2020

Conversation

torkelo
Copy link
Member

@torkelo torkelo commented Apr 1, 2020

By manuall,y using the API, creating a dashboard snapshot a user could inject XSS in the original url . This fix make sure the url is sanitized before rendering the link.

@torkelo torkelo added this to the 6.7.2 milestone Apr 1, 2020
@torkelo torkelo requested a review from marefr April 1, 2020 12:06
@torkelo torkelo changed the title Secuirty: Fix for dashboard snapshot original dashboard link could contain XSS vulnerability in url Security: Fix for dashboard snapshot original dashboard link could contain XSS vulnerability in url Apr 1, 2020
Copy link
Member

@marefr marefr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Stills renders about:blank link but that's fine. LGTM

@torkelo torkelo merged commit fb114a7 into master Apr 1, 2020
@torkelo torkelo deleted the sanitize-snapshot-url branch April 1, 2020 14:04
torkelo added a commit that referenced this pull request Apr 1, 2020
@torkelo torkelo mentioned this pull request Apr 1, 2020
@atoptsoglou
Copy link

This is probably CVE-2020-11110.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants