Describe the bug
It's possible to execute JS on application context by modifying the "Absolute Time Range"
To Reproduce
Access to a new dashboard in graphite-web instance (i.e. http://localhost/dashboard).
Use the "Absolute Time Range"
Write in Start Date:
<img src=1 onerror=alert()>
Write in EndDate:
<img src=1 onerror=alert()>
Hover the mouse over these fields
Expected behavior
This can be solved by removing or ignoring requests containing the characters "<" ">" and/or other escaping/scripting characters. -> Sanitize the value before using it.
Screenshots
Environment (please complete the following information):
- OS flavor: Debian 11
- Graphite-web version 1.1.8
- Setup type: docker
Describe the bug
It's possible to execute JS on application context by modifying the "Absolute Time Range"
To Reproduce
Access to a new dashboard in graphite-web instance (i.e. http://localhost/dashboard).
Use the "Absolute Time Range"
Write in Start Date:
<img src=1 onerror=alert()>Write in EndDate:
<img src=1 onerror=alert()>Hover the mouse over these fields
Expected behavior
This can be solved by removing or ignoring requests containing the characters "<" ">" and/or other escaping/scripting characters. -> Sanitize the value before using it.
Screenshots
Environment (please complete the following information):