Fixed XSS issue with file based dashboards, was really casued by an issue with alertSrv accepting html in message alerts

public/app/routes/dashLoadControllers.js

@@ -76,7 +76,7 @@ function (angular, _, kbn, moment, $) {
         }
         return result.data;
       },function() {
-        $scope.appEvent('alert-error', ["Dashboard load failed", "Could not load <i>dashboards/"+file+"</i>. Please make sure it exists"]);
+        $scope.appEvent('alert-error', ["Dashboard load failed", "Could not load "+file+". Please make sure it exists"]);
         return false;
       });
     };

public/app/services/alertSrv.js

@@ -29,7 +29,7 @@ function (angular, _) {
     this.set = function(title,text,severity,timeout) {
       var newAlert = {
         title: title || '',
-        text: $sce.trustAsHtml(text || ''),
+        text: text || '',
         severity: severity || 'info',
       };
 

public/views/index.html

@@ -35,7 +35,7 @@
 						<i class="fa fa-times-circle"></i>
 					</button>
 					<div class="alert-title">{{alert.title}}</div>
-					<div ng-bind-html='alert.text'></div>
+					<div ng-bind='alert.text'></div>
 				</div>
 			</div>