Merge pull request #18588 from roidelapluie/roidelapluie/react-escape

ui: fix stored XSS in old UI heatmap chart tick labels
2026-05-05 12:26:14 +02:00 · 2026-04-27 13:23:07 +02:00 · 2026-04-27 13:23:07 +02:00 · ecbde5fc10
commit ecbde5fc10
parent 04055ee190 38f23b9075
1 changed files with 2 additions and 1 deletions
--- a/web/ui/react-app/src/pages/graph/Graph.tsx
+++ b/web/ui/react-app/src/pages/graph/Graph.tsx
@ -10,6 +10,7 @@ import { Button } from 'reactstrap';
 import { FontAwesomeIcon } from '@fortawesome/react-fontawesome';
 import { faTimes } from '@fortawesome/free-solid-svg-icons';
 import { GraphDisplayMode } from './Panel';
+import { escapeHTML } from '../../utils';

 require('../../vendor/flot/jquery.flot');
 require('../../vendor/flot/jquery.flot.stack');
@ -151,7 +152,7 @@ class Graph extends PureComponent<GraphProps, GraphState> {

    if (options.yaxis && isHeatmap) {
      options.yaxis.ticks = () => new Array(data.length + 1).fill(0).map((_el, i) => i);
-      options.yaxis.tickFormatter = (val) => `${val ? data[val - 1].labels.le : ''}`;
+      options.yaxis.tickFormatter = (val) => `${val ? escapeHTML(data[val - 1].labels.le) : ''}`;
      options.yaxis.min = 0;
      options.yaxis.max = data.length;
      options.series.lines = { show: false };