Check the validity of the generatorURL field

simonpasquier · gotjosh · commit b8f60392f4d8 · 2023-08-23T16:42:24.000+01:00
The Source button should only be displayed if the link starts by
'http://' or 'https://'.

Signed-off-by: Simon Pasquier &lt;spasquie@redhat.com&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,4 +1,4 @@
-## 0.26.0-rc.0 / 2023-08-17
+## 0.26.0 / 2022-08-23
 
 * [CHANGE] Telegram Integration: `api_url` is now optional. #2981
 * [CHANGE] Telegram Integration: `ParseMode` default is now `HTML` instead of `MarkdownV2`. #2981
@@ -25,6 +25,7 @@
 * [BUGFIX] API: Fixed duplicate receiver names in the `api/v2/receivers` API endpoint. #3338
 * [BUGFIX] API: Attempting to delete a silence now returns the correct status code, `404` instead of `500`. #3352
 * [BUGFIX] Clustering: Fixes a panic when `tls_client_config` is empty. #3443
+* [BUGFIX] Fix stored XSS via the /api/v1/alerts endpoint in the Alertmanager UI.
 
 ## 0.25.0 / 2022-12-22
 
diff --git a/asset/assets_vfsdata.go b/asset/assets_vfsdata.go
diff --git a/ui/app/src/Views/Shared/Alert.elm b/ui/app/src/Views/Shared/Alert.elm
@@ -45,8 +45,12 @@ titleView alert =
 
 generatorUrlButton : String -> Html msg
 generatorUrlButton url =
-    a
-        [ class "btn btn-outline-info border-0", href url ]
-        [ i [ class "fa fa-line-chart mr-2" ] []
-        , text "Source"
-        ]
+    if String.startsWith "http://" url || String.startsWith "https://" url then
+        a
+            [ class "btn btn-outline-info border-0", href url ]
+            [ i [ class "fa fa-line-chart mr-2" ] []
+            , text "Source"
+            ]
+
+    else
+        text ""
