You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
After performing all the actions, its value becomes:
s%3A%7B%22from%22%3A%22-2%3Cnoscript%3E%3Cp%20title%3D%5C%22%3C/noscript%3E%3Cimg%20src%3Dx%20onerror%3Dalert%28%29%20onmouseover%3Dalert%28%29%3E%5C%22%3E%5C%22hours%22%2C%22until%22%3A%22now%22%2C%22width%22%3A400%2C%22height%22%3A250%7D Expected behavior
This can be solved by removing or ignoring requests containing the characters "<" ">" and/or other escaping/scripting characters. -> Sanitize the value before using it.
Screenshots
Environment (please complete the following information):
OS flavor: Debian
Graphite-web version [1.1.8-8]
Django/Python version N/A but confirmed on 1.08-1.11/2.7, 2.1/3.6
Setup type: docker
Additional context
Add any other context about the problem here.
The text was updated successfully, but these errors were encountered:
Describe the bug
It's possible to execute JS on application context by modifying the "Relative Time Range"
To Reproduce
Access to a graphite-web instance (i.e. http://localhostdashboard/). You don't really need data in it.
<noscript><p title="</noscript><img src=x onerror=alert() onmouseover=alert()>">"s%3A%7B%22from%22%3A%22-2%3Cnoscript%3E%3Cp%20title%3D%5C%22%3C/noscript%3E%3Cimg%20src%3Dx%20onerror%3Dalert%28%29%20onmouseover%3Dalert%28%29%3E%5C%22%3E%5C%22hours%22%2C%22until%22%3A%22now%22%2C%22width%22%3A400%2C%22height%22%3A250%7DExpected behavior
This can be solved by removing or ignoring requests containing the characters "<" ">" and/or other escaping/scripting characters. -> Sanitize the value before using it.
Screenshots
Environment (please complete the following information):
Additional context
Add any other context about the problem here.
The text was updated successfully, but these errors were encountered: