[BUG] Self-XSS in "Absolute Time Range"

[takyoni]

Describe the bug
It's possible to execute JS on application context by modifying the "Absolute Time Range"

To Reproduce
Access to a new dashboard in graphite-web instance (i.e. http://localhost/dashboard).
Use the "Absolute Time Range"
Write in Start Date:
<img src=1 onerror=alert()>
Write in EndDate:
<img src=1 onerror=alert()>
Hover the mouse over these fields
Expected behavior
This can be solved by removing or ignoring requests containing the characters "<" ">" and/or other escaping/scripting characters. -> Sanitize the value before using it.

Screenshots

Environment (please complete the following information):

• OS flavor: Debian 11
• Graphite-web version 1.1.8
• Setup type: docker

[deniszh]

Looks like not fixed in #2785 :(
/cc @msaf1980

[msaf1980]

@deniszh I already update our staging (and production today). Now I can't reproduce a issue (and can before update). No alert window in web front and dangerous symbols are escaped.

[msaf1980]

As I think, bug in ExtJS DateField.