Skip to content

Fix reflected XSS in composer mygraph view #2908

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
deniszh merged 2 commits into from
Mar 17, 2026
+28 −3
Merged

Fix reflected XSS in composer mygraph view #2908

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
318e863
Initial plan
Copilot Mar 17, 2026
ef54ae0
Fix reflected XSS in composer mygraph view (issue #2794)
Copilot Mar 17, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 4 additions & 3 deletions webapp/graphite/composer/views.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@
from django.http import HttpResponse
from django.conf import settings
from django.core.exceptions import ObjectDoesNotExist
from django.utils.html import escape


def composer(request):
Expand Down Expand Up @@ -65,7 +66,7 @@ def mygraph(request):
newGraph.save()
except Exception:
log.exception("Failed to create new MyGraph in /composer/mygraph/, graphName=%s" % graphName)
return HttpResponse("Failed to save graph %s" % graphName)
return HttpResponse("Failed to save graph %s" % escape(graphName))

return HttpResponse("SAVED")

Expand All @@ -75,9 +76,9 @@ def mygraph(request):
existingGraph.delete()

except ObjectDoesNotExist:
return HttpResponse("No such graph '%s'" % graphName)
return HttpResponse("No such graph '%s'" % escape(graphName))

return HttpResponse("DELETED")

else:
return HttpResponse("Invalid operation '%s'" % action)
return HttpResponse("Invalid operation '%s'" % escape(action))
24 changes: 24 additions & 0 deletions webapp/tests/test_xss.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,8 @@
except ImportError: # Django < 1.10
from django.urls import reverse

from django.contrib.auth.models import User

from .base import TestCase

# Silence logging during tests
Expand Down Expand Up @@ -49,3 +51,25 @@ def test_find_xss_script_tag(self):
for param in ('from', 'until'):
response = self.client.get(url, {'query': 'test', param: xssStr})
self.assertXSS(response, status_code=400, msg_prefix='XSS detected in %s: ' % param)


class ComposerMyGraphXSSTest(TestCase):
def setUp(self):
self.user = User.objects.create_user('testxss', 'testxss@example.com', 'pass')
self.client.login(username='testxss', password='pass')

def test_mygraph_xss_action(self):
"""Test that XSS in the action parameter is properly escaped (issue #2794)"""
url = reverse('composer_mygraph')
xssStr = '"><script>alert(1)</script>'

response = self.client.get(url, {'action': xssStr, 'graphName': 'test'})
self.assertXSS(response, msg_prefix='XSS detected in action: ')

def test_mygraph_xss_graphname(self):
"""Test that XSS in the graphName parameter is properly escaped (issue #2794)"""
url = reverse('composer_mygraph')
xssStr = '"><script>alert(1)</script>'

response = self.client.get(url, {'action': 'delete', 'graphName': xssStr})
self.assertXSS(response, msg_prefix='XSS detected in graphName: ')
Loading