You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@echarts.apache.org by GitBox <gi...@apache.org> on 2021/03/09 10:35:05 UTC

[GitHub] [echarts] pissang commented on a change in pull request #14434: Fix(xss): tooltip has xss problem

pissang commented on a change in pull request #14434:
URL: https://github.com/apache/echarts/pull/14434#discussion_r590194079



##########
File path: src/model/mixin/dataFormat.ts
##########
@@ -80,7 +80,7 @@ export class DataFormatMixin {
             seriesIndex: (this as any).seriesIndex,
             seriesId: isSeries ? this.id : null,
             seriesName: isSeries ? this.name : null,
-            name: name,

Review comment:
       We should not encode the params, it is not only used in tooltip.

##########
File path: src/component/tooltip/TooltipView.ts
##########
@@ -509,9 +509,9 @@ class TooltipView extends ComponentView {
                     cbParams.axisIndex = axisItem.axisIndex;
                     cbParams.axisType = axisItem.axisType;
                     cbParams.axisId = axisItem.axisId;
-                    cbParams.axisValue = axisHelper.getAxisRawValue(
+                    cbParams.axisValue = formatUtil.encodeHTML(axisHelper.getAxisRawValue(

Review comment:
       I think it's very common that chars like '&', '"' exist in the strings. We should not do such a general encoding. At least we should use an option to enable it optionally.




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@echarts.apache.org
For additional commands, e-mail: commits-help@echarts.apache.org