github-mirrors/prometheus
1
0
Fork 0
mirror of https://github.com/prometheus/prometheus synced 2026-04-21 15:11:07 +08:00
Code Issues Actions 7 Packages Projects Releases Wiki Activity
Files
main
prometheus/web/ui/react-app
History
Julius Volz a4d5f98f42 UI: Fix stored XSS via unescaped metric names and labels 
Metric names, label names, and label values containing HTML/JavaScript were
inserted into `innerHTML` without escaping in several UI code paths, enabling
stored XSS attacks via crafted metrics. This mostly becomes exploitable in
Prometheus 3.x, since it defaults to allowing any UTF-8 characters in metric
and label names.

Apply `escapeHTML()` to all user-controlled values before innerHTML
insertion in:

* Mantine UI chart tooltip
* Old React UI chart tooltip
* Old React UI metrics explorer fuzzy search
* Old React UI heatmap tooltip

See https://github.com/prometheus/prometheus/security/advisories/GHSA-vffh-x6r8-xx99

Signed-off-by: Julius Volz <julius.volz@gmail.com>
2026-04-04 12:19:55 +02:00
..
public
fix some typos (#12498)
2023-06-29 12:28:13 +02:00
src
UI: Fix stored XSS via unescaped metric names and labels
2026-04-04 12:19:55 +02:00
.env
Fix broken prefixed asset links in webpack build (#9586)
2021-10-25 12:52:13 +02:00
.eslintrc.json
Update React 16->17, TypeScript, and some other node deps
2021-09-14 15:46:59 +02:00
.gitignore
Integrate beginning of React UI (#5694)
2019-10-17 14:38:09 +02:00
package-lock.json
Migrate Mantine v7 -> v8 (#17402)
2025-11-06 09:38:27 +01:00
package.json
Upgraded npm dependencies pre 3.4.0-rc.0 (#16493)
2025-04-29 17:19:23 +02:00
tsconfig.json
upgrade react-app to typescript 4
2021-09-07 10:51:59 +02:00