Merge pull request elastic#7568 from bevacqua/hotfix/config-xss

Fixed scripting issues due to improperly encoded kibana payload
airow · Jun 28, 2016 · 271aa69 · 271aa69
2 parents 1248b2f + e33fa40
commit 271aa69
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 8 deletions.
diff --git a/src/ui/public/metadata.js b/src/ui/public/metadata.js
@@ -1,11 +1,9 @@
+import $ from 'jquery';
 import _ from 'lodash';
-// singleton for immutable copy of window.__KBN__
 
-if (!_.has(window, '__KBN__')) {
-  throw new Error('window.__KBN__ must be set for metadata');
-}
+const state = $('kbn-initial-state').attr('data');
+const kbn = window.__KBN__ = JSON.parse(state);
 
-const kbn = _.cloneDeep(window.__KBN__ || {});
 export default deepFreeze(kbn);
 
 function deepFreeze(object) {

diff --git a/src/ui/views/chrome.jade b/src/ui/views/chrome.jade
@@ -1,5 +1,5 @@
-- var j = function (o) { return JSON.stringify(o); }
-- var appName = 'kibana';
+-
+  var appName = 'kibana';
 
 block vars
 
@@ -12,5 +12,5 @@ html(lang='en')
     title Kibana
     block head
   body(kbn-chrome, id='#{appName}-body')
-    script window.__KBN__ = !{j(kibanaPayload)};
+    kbn-initial-state(data=JSON.stringify(kibanaPayload))
     block content