Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

tooltip默认的格式中存在XSS注入风险 #4769

Closed
tianxl992367399 opened this issue Dec 23, 2016 · 1 comment
Closed

tooltip默认的格式中存在XSS注入风险 #4769

tianxl992367399 opened this issue Dec 23, 2016 · 1 comment
Labels

Comments

@tianxl992367399
Copy link

tianxl992367399 commented Dec 23, 2016

tooltip默认的格式中存在XSS注入风险

One-line summary [问题简述]

把xAxis.data的一个元素设置为'<---img src=1 onerror=alert(1)>',
去掉---,tooltip的显示格式默认
图表中鼠标移动到对应的元素上,在页面会弹出小框框

Version & Environment [版本及环境]

  • ECharts version [ECharts 版本]: 3.0
  • Browser version [浏览器类型和版本]: chrome
  • OS Version [操作系统类型和版本]: win7

Expected behaviour [期望结果]

期望的结果是:tooltip会显示<---img src=1 onerror=alert(1)>,
去掉---

ECharts option [ECharts配置项]

option = {
    title: {
        text: '堆叠区域图'
    },
    tooltip : {
        trigger: 'axis'
    },
    legend: {
        data:['邮件营销','<img src=1 onerror=alert(1)>','视频广告','直接访问','搜索引擎']
    },
    toolbox: {
        feature: {
            saveAsImage: {}
        }
    },
    grid: {
        left: '3%',
        right: '4%',
        bottom: '3%',
        containLabel: true
    },
    xAxis : [
        {
            type : 'category',
            boundaryGap : false,
            data : ['<img src=1 onerror=alert(1)>','周二','周三','周四','周五','周六','周日']
        }
    ],
    yAxis : [
        {
            type : 'value'
        }
    ],
    series : [
        {
            name:'邮件营销',
            type:'line',
            stack: '<img src=1 onerror=alert(1)>',
            areaStyle: {normal: {}},
            data:[120, 132, 101, 134, 90, 230, 210]
        },
        {
            name:'联盟广告',
            type:'line',
            stack: '总量',
            areaStyle: {normal: {}},
            data:[220, 182, 191, 234, 290, 330, 310]
        },
        {
            name:'<img src=1 onerror=alert(1)>',
            type:'line',
            stack: '总量',
            areaStyle: {normal: {}},
            data:[150, 232, 201, 154, 190, 330, 410]
        },
        {
            name:'直接访问',
            type:'line',
            stack: '总量',
            areaStyle: {normal: {}},
            data:[320, 332, 301, 334, 390, 330, 320]
        },
        {
            name:'搜索引擎',
            type:'line',
            stack: '总量',
            label: {
                normal: {
                    show: true,
                    position: 'top'
                }
            },
            areaStyle: {normal: {}},
            data:[820, 932, 901, 934, 1290, 1330, 1320]
        }
    ]
};

Other comments [其他信息]

建议对tooltip显示的内容中特殊字符做转码处理

@tianxl992367399
Copy link
Author

tianxl992367399 commented Dec 24, 2016

#4779已经按照这个回复修改成最新的echarts.js了,按照a70f6d4修改的

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants