mirror of
https://github.com/prometheus/prometheus.git
synced 2026-04-19 12:41:04 +02:00
fddbccf79b
Metric names, label names, and label values containing HTML/JavaScript were inserted into `innerHTML` without escaping in several UI code paths, enabling stored XSS attacks via crafted metrics. This mostly becomes exploitable in Prometheus 3.x, since it defaults to allowing any UTF-8 characters in metric and label names. Apply `escapeHTML()` to all user-controlled values before innerHTML insertion in: * Mantine UI chart tooltip * Old React UI chart tooltip * Old React UI metrics explorer fuzzy search * Old React UI heatmap tooltip See https://github.com/prometheus/prometheus/security/advisories/GHSA-vffh-x6r8-xx99 Signed-off-by: Julius Volz <julius.volz@gmail.com>