You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@echarts.apache.org by GitBox <gi...@apache.org> on 2021/03/09 07:03:38 UTC
[GitHub] [echarts] RuiMM opened a new issue #14429: tooltips xss问题
RuiMM opened a new issue #14429:
URL: https://github.com/apache/echarts/issues/14429
### Version
5.0.2
### Steps to reproduce
复现地址:https://codepen.io/ruimei/pen/zYombvZ
触发tooltips时候会触发脚本
### What is expected?
希望能正常运行
### What is actually happening?
xss
<!-- This issue is generated by echarts-issue-helper. DO NOT REMOVE -->
<!-- This issue is in English. DO NOT REMOVE -->
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@echarts.apache.org
For additional commands, e-mail: commits-help@echarts.apache.org
[GitHub] [echarts] 100pah commented on issue #14429: tooltips xss问题
Posted by GitBox <gi...@apache.org>.
100pah commented on issue #14429:
URL: https://github.com/apache/echarts/issues/14429#issuecomment-794847914
I think it is not an issue.
When the `tooltip.formatter` is totally defined by user,
user should do that `encodeHTML` when assemble html text.
For example:
```js
tooltip: {
trigger: 'axis',
formatter(params) {
const name = params[0] && params[0].name;
const fmt = `${name}${
params.map((param, i) => {
return `<br/>
<span class="serie-label" style="display:inline-block;margin-right:5px;border-radius:10px;width:10px;height:10px;
background-color:${param.color};"></span>
${encodeHTML(param.seriesName)} : ${encodeHTML(param.value)}`;
}).join('')
}`;
return fmt
}
}
```
```js
function encodeHTML(source) {
return source == null
? ''
: (source + '').replace(/([&<>"'])/g, function (str, c) {
return {
'&': '&',
'<': '<',
'>': '>',
'"': '"',
'\'': '''
}[c];
});
}
```
echarts should not make `param.seriesName` and `param.value` encoded internally,
otherwise, users can only get the encoded `param.seriesName` and `param.value` and can not do anything others to that string.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@echarts.apache.org
For additional commands, e-mail: commits-help@echarts.apache.org
[GitHub] [echarts] 100pah edited a comment on issue #14429: tooltips xss问题
Posted by GitBox <gi...@apache.org>.
100pah edited a comment on issue #14429:
URL: https://github.com/apache/echarts/issues/14429#issuecomment-794847914
I think it is not an issue.
When the `tooltip.formatter` is totally defined by user,
user should do that `encodeHTML` when assemble html text.
For example:
```js
tooltip: {
trigger: 'axis',
formatter(params) {
const name = params[0] && params[0].name;
const fmt = `${name}${
params.map((param, i) => {
return `<br/>
<span class="serie-label" style="display:inline-block;margin-right:5px;border-radius:10px;width:10px;height:10px;
background-color:${param.color};"></span>
${encodeHTML(param.seriesName)} : ${encodeHTML(param.value)}`;
}).join('')
}`;
return fmt
}
}
```
```js
function encodeHTML(source) {
return source == null
? ''
: (source + '').replace(/([&<>"'])/g, function (str, c) {
return {
'&': '&',
'<': '<',
'>': '>',
'"': '"',
'\'': '''
}[c];
});
}
```
echarts should not make `param.seriesName` and `param.value` encoded internally, because:
+ If echarts encode them internally, users can only get the encoded `param.seriesName` and `param.value` and can not do anything others to that string.
+ `encodeHTML` only make sense in html tooltip ([renderMode: html](https://echarts.apache.org/en/option.html#tooltip.renderMode)), but if `renderMode` is `richText`, we can not make the encoded string display correctly
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@echarts.apache.org
For additional commands, e-mail: commits-help@echarts.apache.org
[GitHub] [echarts] susiwen8 commented on issue #14429: tooltips xss问题
Posted by GitBox <gi...@apache.org>.
susiwen8 commented on issue #14429:
URL: https://github.com/apache/echarts/issues/14429#issuecomment-793520667
It should be fixed in 97db80ac62988ea5cd7db68962d24312eeab57b6
echarts-bot[bot] <no...@github.com> 于2021年3月9日周二 下午3:04写道:
> @RuiMM <https://github.com/RuiMM> It seems you are not using English,
> I've helped translate the content automatically. To make your issue
> understood by more people, we'd like to suggest using English next time.
> 🤗
> *TRANSLATED*
>
> *TITLE*
>
> Tooltips XSS problem
>
> *BODY*
> Version
>
> 5.0.2
> steps to reproduce
>
> Reclaim address: https://codepen.io/ruimei/pen/zyombvz
> Trigger scripts when triggering tooltips
> What is expected?
>
> I hope to run normally
> What is actually happens?
>
> XSS
>
> —
> You are receiving this because you are subscribed to this thread.
> Reply to this email directly, view it on GitHub
> <https://github.com/apache/echarts/issues/14429#issuecomment-793469009>,
> or unsubscribe
> <https://github.com/notifications/unsubscribe-auth/AE3ATEH5O43VYZIBP4UTMCLTCXCAPANCNFSM4Y25NDEQ>
> .
>
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@echarts.apache.org
For additional commands, e-mail: commits-help@echarts.apache.org
[GitHub] [echarts] 100pah edited a comment on issue #14429: tooltips xss问题
Posted by GitBox <gi...@apache.org>.
100pah edited a comment on issue #14429:
URL: https://github.com/apache/echarts/issues/14429#issuecomment-794847914
I think it is not an issue.
When the `tooltip.formatter` is totally defined by user,
user should do that `encodeHTML` when assemble html text.
For example:
```js
tooltip: {
trigger: 'axis',
formatter(params) {
const name = params[0] && params[0].name;
const fmt = `${name}${
params.map((param, i) => {
return `<br/>
<span class="serie-label" style="display:inline-block;margin-right:5px;border-radius:10px;width:10px;height:10px;
background-color:${param.color};"></span>
${encodeHTML(param.seriesName)} : ${encodeHTML(param.value)}`;
}).join('')
}`;
return fmt
}
}
```
```js
function encodeHTML(source) {
return source == null
? ''
: (source + '').replace(/([&<>"'])/g, function (str, c) {
return {
'&': '&',
'<': '<',
'>': '>',
'"': '"',
'\'': '''
}[c];
});
}
```
echarts should not make `param.seriesName` and `param.value` encoded internally, because:
+ If echarts encode them internally, users can only get the encoded `param.seriesName` and `param.value` and can not do anything others to that string.
+ `encodeHTML` only make sense in html tooltip ([renderMode: html](https://echarts.apache.org/en/option.html#tooltip.renderMode)), but if `renderMode` is `richText`, we can not make the encoded string display correctly
+ Theoretically all of the properties in `tooltip.formatter` args can be assembled into html. echarts does not know which properties users really need. If `encodeHTML` internally, echarts need to encode all of the possible properties internally, especial the complex structure `params.data`. It's too complicated.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@echarts.apache.org
For additional commands, e-mail: commits-help@echarts.apache.org
[GitHub] [echarts] echarts-bot[bot] commented on issue #14429: tooltips xss问题
Posted by GitBox <gi...@apache.org>.
echarts-bot[bot] commented on issue #14429:
URL: https://github.com/apache/echarts/issues/14429#issuecomment-793532033
This issue is labeled with `priority: high`, which means it's a frequently asked problem and we will fix it ASAP.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@echarts.apache.org
For additional commands, e-mail: commits-help@echarts.apache.org
[GitHub] [echarts] echarts-bot[bot] commented on issue #14429: tooltips xss问题
Posted by GitBox <gi...@apache.org>.
echarts-bot[bot] commented on issue #14429:
URL: https://github.com/apache/echarts/issues/14429#issuecomment-793468988
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@echarts.apache.org
For additional commands, e-mail: commits-help@echarts.apache.org
[GitHub] [echarts] 100pah edited a comment on issue #14429: tooltips xss问题
Posted by GitBox <gi...@apache.org>.
100pah edited a comment on issue #14429:
URL: https://github.com/apache/echarts/issues/14429#issuecomment-794847914
I think it is not an issue.
When the `tooltip.formatter` is totally defined by user,
user should do that `encodeHTML` when assemble html text.
For example:
```js
tooltip: {
trigger: 'axis',
formatter(params) {
const name = params[0] && params[0].name;
const fmt = `${name}${
params.map((param, i) => {
return `<br/>
<span class="serie-label" style="display:inline-block;margin-right:5px;border-radius:10px;width:10px;height:10px;
background-color:${param.color};"></span>
${encodeHTML(param.seriesName)} : ${encodeHTML(param.value)}`;
}).join('')
}`;
return fmt
}
}
```
```js
function encodeHTML(source) {
return source == null
? ''
: (source + '').replace(/([&<>"'])/g, function (str, c) {
return {
'&': '&',
'<': '<',
'>': '>',
'"': '"',
'\'': '''
}[c];
});
}
```
echarts should not make `param.seriesName` and `param.value` encoded internally, because:
(1) If echarts encode them internally, users can only get the encoded `param.seriesName` and `param.value` and can not do anything others to that string.
(2) `encodeHTML` only make sense in html tooltip ([renderMode: html](https://echarts.apache.org/en/option.html#tooltip.renderMode)), but if `renderMode` is `richText`, we can not make the encoded string display correctly
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@echarts.apache.org
For additional commands, e-mail: commits-help@echarts.apache.org
[GitHub] [echarts] susiwen8 commented on issue #14429: tooltips xss问题
Posted by GitBox <gi...@apache.org>.
susiwen8 commented on issue #14429:
URL: https://github.com/apache/echarts/issues/14429#issuecomment-793531873
No, it doesn't. We will look into it.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@echarts.apache.org
For additional commands, e-mail: commits-help@echarts.apache.org
[GitHub] [echarts] susiwen8 closed issue #14429: tooltips xss问题
Posted by GitBox <gi...@apache.org>.
susiwen8 closed issue #14429:
URL: https://github.com/apache/echarts/issues/14429
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@echarts.apache.org
For additional commands, e-mail: commits-help@echarts.apache.org