New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TextPanel: Sanitize after markdown has been rendered to html #46166
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me - just with a question around the changed test. I don't quite follow the change there.
@@ -27,7 +27,7 @@ e2e.scenario({ | |||
`Server:pipe = A'A"A|BB\\B|CCC`, | |||
`Server:distributed = A'A"A,Server=BB\\B,Server=CCC`, | |||
`Server:csv = A'A"A,BB\\B,CCC`, | |||
`Server:html = A'A"A, BB\\B, CCC`, | |||
`Server:html = A'A"A, BB\\B, CCC`, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why do we expect this to change?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i think the old expectation is actually showing the bug 🤔
the variable value is defined as A'A"A,BB\B,CCC
the markdown in the text panel of that test is defined as:
* `Server:html` = `${Server:html}`
so when interpolated, we should have (step 1)
* `Server:html` = `A'A"A,BB\B,CCC`
and when converted to html it should be (step 2):
Server:html
= A'A"A, BB\B, CCC
however with the old code, we sanitize the markdown string itself in step 1, giving:
* `Server:html` = `A'A"A,BB\B,CCC`
which leads to the html:
Server:html
=A'A"A,BB\B,CCC
* Sanitize after markdown has been rendered to html * Update e2e test (cherry picked from commit b1125c0)
* Sanitize after markdown has been rendered to html * Update e2e test
What this PR does / why we need it:
Which issue(s) this PR fixes:
Fixes https://github.com/grafana/support-escalations/issues/2017
Special notes for your reviewer:
i'm pretty sure this is still as secure, but would appreciate 👀 from someone from a security perspective 😄