Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Cross-Site Scripting vulnerability in the chart legend fields

See original GitHub issue

Describe the bug Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.

To Reproduce

Run the following html file in any browser

<html>
<head>
      <title>tui-chart</title>
</head>   
<body>
     
      <link rel="stylesheet" href="https://uicdn.toast.com/chart/latest/toastui-chart.min.css" />
      <script src="https://uicdn.toast.com/chart/latest/toastui-chart.min.js"></script>
      <div id="chart-area"></div>
      <script type="text/javascript">   
        const el = document.getElementById('chart-area');
      const data = {
        categories: ['Browser'],
        series: [
          {
            name: 'Chrome"<img src=x onerror=alert(1)>',
            data: 46.02,
          },
          {
            name: 'IE',
            data: 20.47,
          },
          {
            name: 'Firefox',
            data: 17.71,
          },
          {
            name: 'Safari',
            data: 5.45,
          },
          {
            name: 'Opera',
            data: 3.1,
          },
          {
            name: 'Etc',
            data: 7.25,
          },
        ],
      };
      const options = {
        chart: { title: 'Usage share of web browsers', width: 600, height: 400 },
      };

      const chart = toastui.Chart.pieChart({ el, data, options });
    </script>
</body>
</html>

JavaScript alert will pop-up.

Vulnerability fix I’ve fixed the vulnerability by sanitizing dangerous legend inputs just before rendering. Please refer to the PR here https://github.com/418sec/tui.chart/pull/1

Issue Analytics

State:
Created 3 years ago
Comments:15 (15 by maintainers)

Top GitHub Comments

2reactions

jung-hancommented, Feb 26, 2021

@arjunshibu ah okay. There is something we are working on now, so we will review it as quickly as possible next week. Thank you!

1reaction

arjunshibucommented, Feb 25, 2021

@jung-han I have updated the fix. Can you take a look it here https://github.com/418sec/tui.chart/pull/2

If you are okay with the commit, please comment @huntr-helper - LGTM there and the bot will open a PR to this repository so that I can earn a reward for fixing this vulnerability. Thanks for your time 😄

Top Results From Across the Web

Cross-site Scripting (XSS) Vulnerability in the tui-chart library

tui-chart is vulnerable to cross-site scripting (XSS). The library does not sanitize legend fields including `name` and `categories` before rendering the chart, ...

Cross-site Scripting (XSS) in apexcharts | CVE-2021-23327

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via lack of sanitization of graph legend fields.

Cross-Site Scripting (XSS) Cheat Sheet - 2022 Edition

This cross-site scripting (XSS) cheat sheet contains many vectors that can help you bypass WAFs and filters. You can select vectors by the ......

Cross-site scripting in apexcharts package for npm

The vulnerability exists due to insufficient sanitization of user-supplied data in graph legend fields. A remote attacker can trick the victim ...

Cross Site Scripting (XSS)

An XSS vulnerability allowing an attacker to modify a press release or news item could affect a company's stock price or lessen consumer...