Open takyoni opened 2 years ago
Looks like not fixed in #2785 :( /cc @msaf1980
@deniszh I already update our staging (and production today). Now I can't reproduce a issue (and can before update). No alert window in web front and dangerous symbols are escaped.
As I think, bug in ExtJS DateField.
Describe the bug It's possible to execute JS on application context by modifying the "Absolute Time Range"
To Reproduce Access to a new dashboard in graphite-web instance (i.e. http://localhost/dashboard). Use the "Absolute Time Range" Write in Start Date:
<img src=1 onerror=alert()>
Write in EndDate:<img src=1 onerror=alert()>
Hover the mouse over these fields Expected behavior This can be solved by removing or ignoring requests containing the characters "<" ">" and/or other escaping/scripting characters. -> Sanitize the value before using it.Screenshots
Environment (please complete the following information):