After performing all the actions, its value becomes:
s%3A%7B%22from%22%3A%22-2%3Cnoscript%3E%3Cp%20title%3D%5C%22%3C/noscript%3E%3Cimg%20src%3Dx%20onerror%3Dalert%28%29%20onmouseover%3Dalert%28%29%3E%5C%22%3E%5C%22hours%22%2C%22until%22%3A%22now%22%2C%22width%22%3A400%2C%22height%22%3A250%7DExpected behavior
This can be solved by removing or ignoring requests containing the characters "<" ">" and/or other escaping/scripting characters. -> Sanitize the value before using it.
Screenshots
Environment (please complete the following information):
OS flavor: Debian
Graphite-web version [1.1.8-8]
Django/Python version N/A but confirmed on 1.08-1.11/2.7, 2.1/3.6
Setup type: docker
Additional context
Add any other context about the problem here.
deniszh
commented
1 year ago
Describe the bug It's possible to execute JS on application context by modifying the "Relative Time Range"
To Reproduce Access to a graphite-web instance (i.e. http://localhostdashboard/). You don't really need data in it.
<noscript><p title="</noscript><img src=x onerror=alert() onmouseover=alert()>">"s%3A%7B%22from%22%3A%22-2%3Cnoscript%3E%3Cp%20title%3D%5C%22%3C/noscript%3E%3Cimg%20src%3Dx%20onerror%3Dalert%28%29%20onmouseover%3Dalert%28%29%3E%5C%22%3E%5C%22hours%22%2C%22until%22%3A%22now%22%2C%22width%22%3A400%2C%22height%22%3A250%7DExpected behavior This can be solved by removing or ignoring requests containing the characters "<" ">" and/or other escaping/scripting characters. -> Sanitize the value before using it.Screenshots
Environment (please complete the following information):
Additional context Add any other context about the problem here.