Security fix for Cross-Site Scripting Vulnerability in frappe-charts

[arjunshibu]

📊 Metadata *

frappe-charts is vulnerable to Cross-Site Scripting (XSS).

Bounty URL: https://www.huntr.dev/bounties/1-npm-frappe-charts

⚙️ Description *

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.

💻 Technical Description *

While rendering charts, the package is validating all object fields except name in datasets array, this allows malicious code execution. The fix is implemented by properly validating name field to escape malicious characters.

🐛 Proof of Concept (PoC) *

Steps To Reproduce

• Open NPM repo https://www.npmjs.com/package/frappe-charts
• Open the Explore demos https://frappe.io/charts
• At the bottom find the sandbox Ref: https://codesandbox.io/s/frappe-charts-demo-viqud?from-embed=&file=/src/index.js
• Use the payload ><img/&#09;&#10;&#11; src=~ onerror=alert('XSS')> and place it in name.
• XSS payload will get executed.
  

References

🔥 Proof of Fix (PoF) *

• Before fix
  
• After fix, Cross-Site Scripting is prevented.
  

+1 User Acceptance Testing (UAT)

• I've executed unit tests.
• After fix the functionality is unaffected.

[Mik317]

LGTM 😄 🍰

Cheers,
Mik

[huntr-helper]

Congratulations arjunshibu - your fix has been selected! 🎉

Thanks for being part of the community & helping secure the world's open source code.
If you have any questions, please respond in the comments section, or hit us up on Discord. Your bounty is on its way - keep hunting!

Come join us on Discord