diff --git a/CHANGELOG.md b/CHANGELOG.md
index 49bd5762c3d..0e0721e4182 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -18,6 +18,7 @@
* **snapshot**: Annotations are now included in snapshots, closes [#3635](https://github.com/grafana/grafana/issues/3635)
* **Admin**: Admin can now have global overview of Grafana setup, closes [#3812](https://github.com/grafana/grafana/issues/3812)
* **graph**: Right side legend height is now fixed at row height, closes [#1277](https://github.com/grafana/grafana/issues/1277)
+* **Table**: All content in table panel is now html escaped, closes [#3673](https://github.com/grafana/grafana/issues/3673)
### Bug fixes
* **Playlist**: Fix for memory leak when running a playlist, closes [#3794](https://github.com/grafana/grafana/pull/3794)
diff --git a/public/app/plugins/panel/table/renderer.ts b/public/app/plugins/panel/table/renderer.ts
index 755c7262070..0a306b103a4 100644
--- a/public/app/plugins/panel/table/renderer.ts
+++ b/public/app/plugins/panel/table/renderer.ts
@@ -25,7 +25,7 @@ export class TableRenderer {
}
defaultCellFormater(v) {
- if (v === null || v === void 0) {
+ if (v === null || v === void 0 || v === undefined) {
return '';
}
@@ -36,7 +36,6 @@ export class TableRenderer {
return v;
}
-
createColumnFormater(style) {
if (!style) {
return this.defaultCellFormater;
@@ -97,6 +96,7 @@ export class TableRenderer {
renderCell(columnIndex, value, addWidthHack = false) {
value = this.formatColumnValue(columnIndex, value);
+ value = _.escape(value);
var style = '';
if (this.colorState.cell) {
style = ' style="background-color:' + this.colorState.cell + ';color: white"';
diff --git a/public/app/plugins/panel/table/specs/renderer_specs.ts b/public/app/plugins/panel/table/specs/renderer_specs.ts
index 8f551b5cb1d..75a6b03af98 100644
--- a/public/app/plugins/panel/table/specs/renderer_specs.ts
+++ b/public/app/plugins/panel/table/specs/renderer_specs.ts
@@ -11,6 +11,7 @@ describe('when rendering table', () => {
{text: 'Value'},
{text: 'Colored'},
{text: 'Undefined'},
+ {text: 'String'}
];
var panel = {
@@ -35,6 +36,10 @@ describe('when rendering table', () => {
colorMode: 'value',
thresholds: [50, 80],
colors: ['green', 'orange', 'red']
+ },
+ {
+ pattern: 'String',
+ type: 'string',
}
]
};
@@ -67,11 +72,26 @@ describe('when rendering table', () => {
});
it('colored cell should have style', () => {
- var html = renderer.renderCell(2, 85);
- expect(html).to.be('| 85.0 | ');
+ var html = renderer.renderCell(2, 85);
+ expect(html).to.be('85.0 | ');
});
- it('unformated undefined should be rendered as -', () => {
+ it('unformated undefined should be rendered as string', () => {
+ var html = renderer.renderCell(3, 'value');
+ expect(html).to.be('value | ');
+ });
+
+ it('string style with escape html should return escaped html', () => {
+ var html = renderer.renderCell(4, "&breaking
the
row");
+ expect(html).to.be('&breaking <br /> the <br /> row | ');
+ });
+
+ it('undefined formater should return escaped html', () => {
+ var html = renderer.renderCell(3, "&breaking
the
row");
+ expect(html).to.be('&breaking <br /> the <br /> row | ');
+ });
+
+ it('undefined value should render as -', () => {
var html = renderer.renderCell(3, undefined);
expect(html).to.be(' | ');
});