diff --git a/packages/eslint-config-kibana/.eslintrc.js b/packages/eslint-config-kibana/.eslintrc.js
index a9529a3880ca..64c7e820accd 100644
--- a/packages/eslint-config-kibana/.eslintrc.js
+++ b/packages/eslint-config-kibana/.eslintrc.js
@@ -107,6 +107,7 @@ module.exports = {
'react/jsx-indent-props': ['error', 2],
'react/jsx-max-props-per-line': ['error', { maximum: 1, when: 'multiline' }],
'react/jsx-no-duplicate-props': ['error', { ignoreCase: true }],
+ 'react/no-danger': 'error',
'react/self-closing-comp': 'error',
'react/jsx-wrap-multilines': ['error', {
declaration: true,
diff --git a/src/core_plugins/metric_vis/public/components/metric_vis_value.js b/src/core_plugins/metric_vis/public/components/metric_vis_value.js
index 3ae122733503..7eb86e03d8c5 100644
--- a/src/core_plugins/metric_vis/public/components/metric_vis_value.js
+++ b/src/core_plugins/metric_vis/public/components/metric_vis_value.js
@@ -37,7 +37,15 @@ class MetricVisValue extends Component {
{ showLabel &&
{metric.label}
diff --git a/src/ui/public/markdown/markdown.js b/src/ui/public/markdown/markdown.js
index 5841c92290ba..2e2b47e37c7b 100644
--- a/src/ui/public/markdown/markdown.js
+++ b/src/ui/public/markdown/markdown.js
@@ -12,6 +12,10 @@ import MarkdownIt from 'markdown-it';
*/
export function markdownFactory(whiteListedRules, openLinksInNewTab = false) {
let markdownIt;
+
+ // It is imperitive that the html config property be set to false, to mitigate XSS: the output of markdown-it is
+ // fed directly to the DOM via React's dangerouslySetInnerHTML below.
+
if (whiteListedRules && whiteListedRules.length > 0) {
markdownIt = new MarkdownIt('zero', { html: false, linkify: true });
markdownIt.enable(whiteListedRules);
@@ -89,7 +93,12 @@ export class Markdown extends Component {
);
}
diff --git a/src/ui/public/notify/notifier.js b/src/ui/public/notify/notifier.js
index f089ac0b2499..fa303df19f89 100644
--- a/src/ui/public/notify/notifier.js
+++ b/src/ui/public/notify/notifier.js
@@ -349,7 +349,13 @@ Notifier.prototype.banner = function (content = '') {
title="Attention"
iconType="help"
>
-
+
Dismiss