mirrors/prometheus
1
0
Fork 0
mirror of https://github.com/prometheus/prometheus.git synced 2026-05-04 12:01:06 +02:00
Code Issues Projects Releases Wiki Activity

ui: fix stored XSS in old UI heatmap chart tick labels

Browse Source 
This fixes the stored XSS as described in:

https://github.com/prometheus/prometheus/security/advisories/GHSA-fw8g-cg8f-9j28

Signed-off-by: Julius Volz <julius.volz@gmail.com>
Signed-off-by: Julien Pivotto <291750+roidelapluie@users.noreply.github.com>
This commit is contained in:
Julius Volz 2026-04-22 17:31:29 +02:00 committed by Julien Pivotto
parent f227287843
commit bf6fb7362e
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
web/ui/react-app/src/pages/graph/Graph.tsx
View File

@ -10,6 +10,7 @@ import { Button } from 'reactstrap';
import { FontAwesomeIcon } from '@fortawesome/react-fontawesome';
import { faTimes } from '@fortawesome/free-solid-svg-icons';
import { GraphDisplayMode } from './Panel';
import { escapeHTML } from '../../utils';
require('../../vendor/flot/jquery.flot');
require('../../vendor/flot/jquery.flot.stack');
@ -151,7 +152,7 @@ class Graph extends PureComponent<GraphProps, GraphState> {
if (options.yaxis && isHeatmap) {
options.yaxis.ticks = () => new Array(data.length + 1).fill(0).map((_el, i) => i);
options.yaxis.tickFormatter = (val) => `${val ? data[val - 1].labels.le : ''}`;
options.yaxis.tickFormatter = (val) => `${val ? escapeHTML(data[val - 1].labels.le) : ''}`;
options.yaxis.min = 0;
options.yaxis.max = data.length;
options.series.lines = { show: false };