[BUG] Stored XSS in template name

**Describe the bug**
It's possible to execute JS on application context by modifying the API query values when saving a template.

**To Reproduce**
Access to a new dashboard in graphite-web instance (i.e. http://localhost/dashboard). You don't really need data in it.
Use the "Save As Template " feature (In the context menu Dashboard > Save As Template ). Give it a name.
`<img src=1 onerror=alert(1)>`
String to replace
`<img src=1 onerror=alert(1)>`
Use the "Template finder"  feature (In the context menu Dashboard > Template finder ). You can see XSS
**Expected behavior**
This can be solved by removing or ignoring requests containing the characters "<" ">" and/or other escaping/scripting characters. -> Sanitize the value before using it.

**Screenshots**
![Снимок экрана (2040)](https://user-images.githubusercontent.com/43312138/163120462-f0d3d047-4da8-4b3d-bc42-94b315cf44f1.png)
![Снимок экрана (2041)](https://user-images.githubusercontent.com/43312138/163120496-a0cc1894-42d0-4cb9-8690-d9941752a393.png)
![Снимок экрана (2042)](https://user-images.githubusercontent.com/43312138/163120527-185104af-43b4-44c8-b8be-8d3ef83223c2.png)
![Снимок экрана (2044)](https://user-images.githubusercontent.com/43312138/163120607-4ad0e211-0758-4044-b29b-0f6cdb0ea994.png)
![Снимок экрана (2043)](https://user-images.githubusercontent.com/43312138/163120651-45550d6c-27be-4418-b287-878fe827608b.png)

**Environment (please complete the following information):**
 - OS flavor: Debian 11
 - Graphite-web version 1.1.8
 - Setup type: docker



Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[BUG] Stored XSS in template name #2745

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

[BUG] Stored XSS in template name #2745

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions