7 vuotta sitten · 75e3d90089
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -26,8 +26,11 @@
 
				 * **Prometheus**: Query for annotation always uses 60s step regardless of dashboard range, fixes [#14795](https://github.com/grafana/grafana/issues/14795)
			
 
				 
			
 
				 ### Breaking changes
			
 
				-* **Text Panel**: The text panel does no longer by default allow unsantizied HTML. [#4117](https://github.com/grafana/grafana/issues/4117). This means that if you have text panels with scripts tags they will no longer work as before. To enable unsafe javascript execution in text panels enable the settings `disable_sanitize_input` 
			
 
				-under the section `[panels]` in your Grafana ini file, or set env variable `GF_PANELS_DISABLE_SANITIZE_INPUT=true`. 
			
 
				+* **Text Panel**: The text panel does no longer by default allow unsantizied HTML.
			
 
				+* [#4117](https://github.com/grafana/grafana/issues/4117). This means that if you have text panels with scripts tags
			
 
				+* they will no longer work as before. To enable unsafe javascript execution in text panels enable the settings
			
 
				+* `disable_sanitize_html` under the section `[panels]` in your Grafana ini file, or set env variable
			
 
				+* `GF_PANELS_DISABLE_SANITIZE_HTML=true`.
			
 
				 
			
 
				 # 5.4.3 (2019-01-14)
			
 
				 
			
--- a/conf/defaults.ini
+++ b/conf/defaults.ini
@@ -570,7 +570,7 @@ callback_url =
 
				 
			
 
				 [panels]
			
 
				 enable_alpha = false
			
 
				-disable_sanitize_input = false
			
 
				+disable_sanitize_html = false
			
 
				 
			
 
				 [enterprise]
			
 
				 license_path =
			
--- a/conf/sample.ini
+++ b/conf/sample.ini
@@ -495,3 +495,8 @@ log_queries =
 
				 # Path to a valid Grafana Enterprise license.jwt file
			
 
				 ;license_path =
			
 
				 
			
 
				+[panels]
			
 
				+;enable_alpha = false
			
 
				+# If set to true Grafana will allow script tags in text panels. Not recommended as it enable XSS vulnerabilities.
			
 
				+;disable_sanitize_html = false
			
 
				+
			
--- a/docs/sources/installation/configuration.md
+++ b/docs/sources/installation/configuration.md
@@ -589,3 +589,14 @@ Default setting for how Grafana handles nodata or null values in alerting. (aler
 
				 Alert notifications can include images, but rendering many images at the same time can overload the server.
			
 
				 This limit will protect the server from render overloading and make sure notifications are sent out quickly. Default
			
 
				 value is `5`.
			
 
				+
			
 
				+## [panels]
			
 
				+
			
 
				+### enable_alpha
			
 
				+Set to true if you want to test panels that are not yet ready for general usage.
			
 
				+
			
 
				+### disable_sanitize_html
			
 
				+If set to true Grafana will allow script tags in text panels. Not recommended as it enable XSS vulnerabilities. Default
			
 
				+is false. This settings was introduced in Grafana v6.0.
			
 
				+
			
 
				+
			
--- a/pkg/api/frontendsettings.go
+++ b/pkg/api/frontendsettings.go
@@ -166,7 +166,7 @@ func (hs *HTTPServer) getFrontendSettingsMap(c *m.ReqContext) (map[string]interf
 
				 		"externalUserMngLinkUrl":     setting.ExternalUserMngLinkUrl,
			
 
				 		"externalUserMngLinkName":    setting.ExternalUserMngLinkName,
			
 
				 		"viewersCanEdit":             setting.ViewersCanEdit,
			
 
				-		"disableSanitizeInput":       hs.Cfg.DisableSanitizeInput,
			
 
				+		"disableSanitizeHtml":        hs.Cfg.DisableSanitizeHtml,
			
 
				 		"buildInfo": map[string]interface{}{
			
 
				 			"version":       setting.BuildVersion,
			
 
				 			"commit":        setting.BuildCommit,
			
--- a/pkg/setting/setting.go
+++ b/pkg/setting/setting.go
@@ -90,7 +90,6 @@ var (
 
				 	EmailCodeValidMinutes            int
			
 
				 	DataProxyWhiteList               map[string]bool
			
 
				 	DisableBruteForceLoginProtection bool
			
 
				-	DisableSanitizeInput             bool
			
 
				 
			
 
				 	// Snapshots
			
 
				 	ExternalSnapshotUrl   string
			
@@ -223,7 +222,7 @@ type Cfg struct {
 
				 	MetricsEndpointBasicAuthUsername string
			
 
				 	MetricsEndpointBasicAuthPassword string
			
 
				 	EnableAlphaPanels                bool
			
 
				-	DisableSanitizeInput             bool
			
 
				+	DisableSanitizeHtml              bool
			
 
				 	EnterpriseLicensePath            string
			
 
				 }
			
 
				 
			
@@ -711,7 +710,7 @@ func (cfg *Cfg) Load(args *CommandLineArgs) error {
 
				 
			
 
				 	panels := iniFile.Section("panels")
			
 
				 	cfg.EnableAlphaPanels = panels.Key("enable_alpha").MustBool(false)
			
 
				-	cfg.DisableSanitizeInput = panels.Key("sanitize_input_disabled").MustBool(false)
			
 
				+	cfg.DisableSanitizeHtml = panels.Key("disable_sanitize_html").MustBool(false)
			
 
				 
			
 
				 	cfg.readSessionConfig()
			
 
				 	cfg.readSmtpSettings()
			
--- a/public/app/core/config.ts
+++ b/public/app/core/config.ts
@@ -35,7 +35,7 @@ export class Settings {
 
				   loginHint: any;
			
 
				   loginError: any;
			
 
				   viewersCanEdit: boolean;
			
 
				-  disableSanitizeInput: boolean;
			
 
				+  disableSanitizeHtml: boolean;
			
 
				 
			
 
				   constructor(options: Settings) {
			
 
				     const defaults = {
			
@@ -53,7 +53,7 @@ export class Settings {
 
				         isEnterprise: false,
			
 
				       },
			
 
				       viewersCanEdit: false,
			
 
				-      disableSanitizeInput: false
			
 
				+      disableSanitizeHtml: false
			
 
				     };
			
 
				 
			
 
				     _.extend(this, defaults, options);
			
--- a/public/app/plugins/panel/text/module.ts
+++ b/public/app/plugins/panel/text/module.ts
@@ -92,8 +92,7 @@ export class TextPanelCtrl extends PanelCtrl {
 
				   }
			
 
				 
			
 
				   updateContent(html: string) {
			
 
				-    const { disableSanitizeInput } = config;
			
 
				-    html = disableSanitizeInput ? html : sanitize(html);
			
 
				+    html = config.disableSanitizeHtml ? html : sanitize(html);
			
 
				     try {
			
 
				       this.content = this.$sce.trustAsHtml(this.templateSrv.replace(html, this.panel.scopedVars));
			
 
				     } catch (e) {