From 8f6ef04d70ebf1697b313e05da6dd6a9abe2d5bf Mon Sep 17 00:00:00 2001
From: Julius Volz <julius.volz@gmail.com>
Date: Sun, 22 Mar 2015 21:59:14 +0100
Subject: [PATCH] HTML-escape label values in Rickshaw hover-detail.

---
 web/static/js/graph.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/web/static/js/graph.js b/web/static/js/graph.js
index 4ead10192a..3a87ace499 100644
--- a/web/static/js/graph.js
+++ b/web/static/js/graph.js
@@ -365,7 +365,7 @@ Prometheus.Graph.prototype.renderLabels = function(labels) {
   var labelStrings = [];
   for (label in labels) {
     if (label != "__name__") {
-      labelStrings.push("<strong>" + label + "</strong>: " + labels[label]);
+      labelStrings.push("<strong>" + label + "</strong>: " + escapeHTML(labels[label]));
     }
   }
   return labels = "<div class=\"labels\">" + labelStrings.join("<br>") + "</div>";