fix composer saved graphs target escaping

[ploxiln]

saved graphs targets were html-escaped in the json response
to fix an XSS vulnerability in #1662

... but that was not really the right place to escape the graph targets,
it broke targets using quotes: #1801 #2334

so effectively revert the original fix, and instead html-escape the
targets just before rendering them in the GraphDataWindow Ext.ListView

---

TODO:

• ensure works with python-3 (str(thing) is never the right way :)
• check what the "dashboard" interface does (it doesn't have this problem, does it allow html injection though?)

[lgtm-com]

This pull request introduces 1 alert and fixes 8 when merging 4c9a083 into 910bdea - view on LGTM.com

new alerts:

• 1 for Syntax error

fixed alerts:

• 4 for Unused variable, import, function or class
• 2 for Comparison between inconvertible types
• 1 for Superfluous trailing arguments
• 1 for Client-side URL redirect

[ploxiln]

This is done and tested with both python-2.7 and python-3.7

I tested by pasting <svg/onload=alert()> (thanks #1662) at the end of graph target expressions in these graph data lists:

(and I also tested target expressions with double quotes like summarize(..., "sum"))

Before this branch, pasting the svg-alert expression in either place and hitting enter to finish the edit would immediately cause the popup. In the composer, saving and loading the graph and viewing the data targets would no longer cause the popup, but would mess-up the legit double-quotes in the expression, breaking the graph. In the dashboard, saving and loading the dashboard and viewing the data targets would cause the XSS popup (but expressions with double-quotes worked correctly).

After this branch, pasting the svg-alert expression and hitting enter to finish the edit no longer causes popups, saving/loading/viewing does not cause popups in either place, and graphs with quotes work correctly.

Figuring out the ancient extjs parts were admittedly tricky.

• The function doing the escaping for both the composer and the dashboard can be found here: https://docs.sencha.com/extjs/3.4.0/#!/api/Ext.util.Format
• For the composer ListView I found an example here showing how to use these functions in templates: https://docs.sencha.com/extjs/3.4.0/#!/api/Ext.list.ListView
• For the dashboard the same 'tpl' property didn't work, but I followed the docs for the ColumnModel Column renderer to here: https://docs.sencha.com/extjs/3.4.0/#!/api/Ext.grid.Column

[ploxiln]

please take a look @deniszh

[deniszh]

Wow, @ploxiln , missed that somehow, sorry! Look good, awesome job!

[deniszh]

If @cbowman0 or others have no objections I'll merge it soon

[DanCech]

Looks good

[ploxiln]

Thanks :)