[v9.3.x] Fix XSS in runbook URL (grafana#684)

Fix XSS in runbook URL (grafana#681) (cherry picked from commit db1548c1491c2f5b522e3c0ceb1832b914a4b2f0) Co-authored-by: George Robinson <[email protected]> (cherry picked from commit e9cb2a3)
paul-wurth · Feb 8, 2023 · cdfe9e3 · cdfe9e3
1 parent e8b9894
commit cdfe9e3
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/public/app/features/alerting/unified/components/rules/RuleDetailsActionButtons.tsx b/public/app/features/alerting/unified/components/rules/RuleDetailsActionButtons.tsx
@@ -1,7 +1,7 @@
 import { css } from '@emotion/css';
 import React, { FC, Fragment } from 'react';
 
-import { GrafanaTheme2 } from '@grafana/data';
+import { GrafanaTheme2, textUtil } from '@grafana/data';
 import { Button, HorizontalGroup, LinkButton, useStyles2 } from '@grafana/ui';
 import { contextSrv } from 'app/core/services/context_srv';
 import { AccessControlAction } from 'app/types';
@@ -61,7 +61,7 @@ export const RuleDetailsActionButtons: FC<Props> = ({ rule, rulesSource }) => {
         variant="primary"
         icon="book"
         target="__blank"
-        href={rule.annotations[Annotation.runbookURL]}
+        href={textUtil.sanitizeUrl(rule.annotations[Annotation.runbookURL])}
       >
         View runbook
       </LinkButton>