Skip to content

Commit 6802a59

Browse files
CookiezaursCookiezaurs
authored
Merge pull request #4843 from pnrgenc/SER-1086
[SER-1086] Fix: Chart tooltip injection
2 parents 2303c29 + 8cf1f85 commit 6802a59

File tree

2 files changed

+25
-18
lines changed

2 files changed

+25
-18
lines changed

frontend/express/public/javascripts/countly/vue/components/vis.js

+24-17
Original file line numberDiff line numberDiff line change
@@ -630,9 +630,9 @@
630630
template += '<div class="bu-is-flex">\
631631
<div class="chart-tooltip__bar bu-mr-2 bu-mt-1" style="background-color: ' + params.color + ';"></div>\
632632
<div>\
633-
<div class="chart-tooltip__header text-smaller font-weight-bold bu-mb-3">' + countlyCommon.encodeHtml(params.seriesName) + '</div>\
634-
<div class="text-small"> ' + countlyCommon.encodeHtml(params.data.name) + '</div>\
635-
<div class="text-big">' + formatter(countlyCommon.encodeHtml(params.data.value)) + '</div>\
633+
<div class="chart-tooltip__header text-smaller font-weight-bold bu-mb-3">' + this.sanitizeHtml(params.seriesName) + '</div>\
634+
<div class="text-small"> ' + this.sanitizeHtml(params.data.name) + '</div>\
635+
<div class="text-big">' + formatter(this.sanitizeHtml(params.data.value)) + '</div>\
636636
</div>\
637637
</div>';
638638

@@ -641,7 +641,7 @@
641641
else {
642642
template = "<div class='chart-tooltip" + ((params.length > 10) ? " chart-tooltip__has-scroll" : "") + "'>";
643643
if (params.length > 0) {
644-
template += "<span class='chart-tooltip__header text-smaller font-weight-bold'>" + countlyCommon.encodeHtml(params[0].axisValueLabel) + "</span></br>";
644+
template += "<span class='chart-tooltip__header text-smaller font-weight-bold'>" + this.sanitizeHtml(params[0].axisValueLabel) + "</span></br>";
645645
}
646646

647647
if (self.sortBy === "index") {
@@ -670,10 +670,10 @@
670670
template += '<div class="chart-tooltip__body' + ((params.length > 4) ? " chart-tooltip__single-row" : " ") + '">\
671671
<div class="chart-tooltip__bar" style="background-color: ' + params[i].color + ';"></div>\
672672
<div class="chart-tooltip__series">\
673-
<span class="text-small">' + countlyCommon.encodeHtml(params[i].seriesName) + '</span>\
673+
<span class="text-small">' + this.sanitizeHtml(params[i].seriesName) + '</span>\
674674
</div>\
675675
<div class="chart-tooltip__value">\
676-
<span class="text-big">' + (typeof params[i].value === 'object' ? formatter((isNaN(countlyCommon.encodeHtml(params[i].value[1])) ? 0 : countlyCommon.encodeHtml(params[i].value[1])), countlyCommon.encodeHtml(params[i].value), i) : formatter((isNaN(params[i].value) ? 0 : countlyCommon.encodeHtml(params[i].value)), null, i)) + '</span>\
676+
<span class="text-big">' + (typeof params[i].value === 'object' ? formatter((isNaN(this.sanitizeHtml(params[i].value[1])) ? 0 : this.sanitizeHtml(params[i].value[1])), this.sanitizeHtml(params[i].value), i) : formatter((isNaN(params[i].value) ? 0 : this.sanitizeHtml(params[i].value)), null, i)) + '</span>\
677677
</div>\
678678
</div>';
679679
}
@@ -727,9 +727,9 @@
727727
show: true,
728728
color: "#81868D",
729729
fontSize: 12,
730-
formatter: function(value) {
730+
formatter: (value) => {
731731
if (typeof value === "number") {
732-
return countlyCommon.getShortNumber(countlyCommon.encodeHtml(value));
732+
return countlyCommon.getShortNumber(this.sanitizeHtml(value));
733733
}
734734
return value;
735735
}
@@ -867,6 +867,13 @@
867867

868868
return options;
869869
},
870+
sanitizeHtml: function(value) {
871+
if (value) {
872+
value = countlyCommon.encodeHtml(value);
873+
return countlyCommon.unescapeHtml(value);
874+
}
875+
return value;
876+
}
870877
}
871878
});
872879

@@ -1113,39 +1120,39 @@
11131120
</div>\
11141121
<div class="graph-tooltip-wrapper__container">';
11151122
}
1116-
template += '<div class="' + countlyCommon.encodeHtml(conditionalClassName) + '">\
1117-
<div class="bu-mb-1"><span class="text-small color-cool-gray-50">#' + countlyCommon.encodeHtml(filteredNotes[i].indicator) + '</span></div>\
1123+
template += '<div class="' + this.sanitizeHtml(conditionalClassName) + '">\
1124+
<div class="bu-mb-1"><span class="text-small color-cool-gray-50">#' + this.sanitizeHtml(filteredNotes[i].indicator) + '</span></div>\
11181125
<div class="bu-is-flex bu-is-justify-content-space-between graph-notes-tooltip__header">\
11191126
<div class="bu-is-flex bu-is-flex-direction-column">\
1120-
<div class="text-small input-owner">' + countlyCommon.encodeHtml(filteredNotes[i].owner_name) + '</div>\
1127+
<div class="text-small input-owner">' + this.sanitizeHtml(filteredNotes[i].owner_name) + '</div>\
11211128
<div class="text-small color-cool-gray-50 note-date">' + moment(filteredNotes[i].ts).format("MMM D, YYYY hh:mm A") + '</div>\
11221129
</div>\
11231130
<div class="bu-is-flex bu-is-flex-direction-column bu-is-align-items-flex-end">\
1124-
<span class="text-small color-cool-gray-50 bu-is-capitalized note-type">' + countlyCommon.encodeHtml(filteredNotes[i].noteType) + '</span>\
1131+
<span class="text-small color-cool-gray-50 bu-is-capitalized note-type">' + this.sanitizeHtml(filteredNotes[i].noteType) + '</span>\
11251132
</div>\
11261133
</div>\
1127-
<div class="bu-mt-2 graph-notes-tooltip__body"><span class="text-small input-notes input-minimizer">' + countlyCommon.encodeHtml(filteredNotes[i].note) + '</span></div>\
1134+
<div class="bu-mt-2 graph-notes-tooltip__body"><span class="text-small input-notes input-minimizer">' + this.sanitizeHtml(filteredNotes[i].note) + '</span></div>\
11281135
</div>';
11291136
if (i === filteredNotes.length) {
11301137
template = "</div>";
11311138
}
11321139
}
11331140
}
11341141
else {
1135-
template += '<div class="' + countlyCommon.encodeHtml(conditionalClassName) + '">\
1142+
template += '<div class="' + this.sanitizeHtml(conditionalClassName) + '">\
11361143
<div class="bu-is-flex bu-is-justify-content-space-between graph-notes-tooltip__header">\
11371144
<div class="bu-is-flex bu-is-flex-direction-column name-wrapper">\
1138-
<div class="text-medium input-owner">' + countlyCommon.encodeHtml(params.data.note.owner_name) + '</div>\
1145+
<div class="text-medium input-owner">' + this.sanitizeHtml(params.data.note.owner_name) + '</div>\
11391146
<div class="text-small color-cool-gray-50 note-date">' + moment(params.data.note.ts).format("MMM D, YYYY hh:mm A") + '</div>\
11401147
</div>\
11411148
<div class="bu-is-flex bu-is-flex-direction-column bu-is-align-items-flex-end">\
11421149
<span onClick="window.hideGraphTooltip()">\
11431150
<i class="el-icon-close"></i>\
11441151
</span>\
1145-
<span class="text-small color-cool-gray-50 bu-is-capitalized note-type">' + countlyCommon.encodeHtml(params.data.note.noteType) + '</span>\
1152+
<span class="text-small color-cool-gray-50 bu-is-capitalized note-type">' + this.sanitizeHtml(params.data.note.noteType) + '</span>\
11461153
</div>\
11471154
</div>\
1148-
<div class="graph-notes-tooltip__body"><span class="text-medium input-notes">' + countlyCommon.encodeHtml(params.data.note.note) + '</span></div>\
1155+
<div class="graph-notes-tooltip__body"><span class="text-medium input-notes">' + this.sanitizeHtml(params.data.note.note) + '</span></div>\
11491156
</div>';
11501157
}
11511158
return template;

frontend/express/public/javascripts/utils/vue/element-ui.js

+1-1
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)