On Thu, 12 Sep 2024 13:09:53 +0200 "Alexandre Rossi" <n...@zincube.net>
wrote:
> graphite-web in bookworm (1.1.8-2) does not allow saving dashboards due to
missing function
> htmlEncode from dashboard.js. Workaround is to install 1.1.10-1 from testing,
where
> dashboard.js contains the definition of htmlEncode.
Hi all,
I can add a few points. This more or less breaks the whole dashboard. I
cannot load graphs either. Changing the relative time range (even if
just changing values from the drop-down menu) also doesn't work. But I
think it's fair enough to say that without saving and loading an
application isn't really useable, or?
> As a note to others: js is cached in the browser for quite some time, so the
> showing up of the bug was delayed
>
> Please consider the applied patch for bookwoorm which simply adds the missing
function.
This was reported upstream as well:
https://github.com/graphite-project/graphite-web/issues/2711
and links to their fix at:
https://github.com/graphite-project/graphite-web/pull/2719
which also adds a function like the one suggested here but also adds
like a dozen calls to that function. See
https://github.com/graphite-project/graphite-web/commit/40a500d2036ed0b64aa333925bb8bf3de6786f66
for the actual commit. It only changes this single file and and only
contains the function and calls to it as mentioned.
I would but uploads to stable need a bug with severity important (per policy §
5.5.1 [1]) or in a special cas (per policy § 5.5.2 [1]) which does not seem the
case
here.
[1]
https://www.debian.org/doc/manuals/developers-reference/pkgs.html#picking-a-distribution
Can we use a higher severity level then, please? graphite-web has more
functionality than the dashboard, so this doesn't make the whole package
unusable. But it does make the dashboard unusable.
This might also be a security issue, at least it's related. The bug was
introduced when attempting to secure the web-frontend against XSS. See
https://github.com/graphite-project/graphite-web/issues/2520
for the original discussion of that and
https://github.com/graphite-project/graphite-web/pull/2620
for where the bug was introduced. Note that the commit referenced above
fixes both, the functional as well as the security problem. Also note
that fixing the functional problem by adding the function but not adding
the additional calls to it might leave a system vulnerable to that XSS.
If I can be of help in getting this furthered, let me know.
Thank you all and all the best,
Timo
