In Highcharts versions 8 and earlier, the chart options structure was not systematically filtered for XSS vectors. The potential impact was that content from untrusted sources could execute code in the end user's browser. Especially when using the useHTML flag, HTML string options would be inserted unfiltered directly into the DOM. When useHTML was false, malicious code could be inserted by using various character replacement tricks or malformed HTML.
If your chart configuration comes from a trusted source like a static setup or pre-filtered HTML (or no markup at all in the configuration), you are not impacted.
Patches
In version 9, the whole rendering layer was refactored to use an DOMParser, an AST and tag and HTML allow-listing to make sure only safe content entered the DOM. In addition, prototype pollution was stopped.
This PR contains the following updates:
^8.1.2->^9.0.0GitHub Vulnerability Alerts
CVE-2021-29489
Impact
In Highcharts versions 8 and earlier, the chart options structure was not systematically filtered for XSS vectors. The potential impact was that content from untrusted sources could execute code in the end user's browser. Especially when using the
useHTMLflag, HTML string options would be inserted unfiltered directly into the DOM. WhenuseHTMLwas false, malicious code could be inserted by using various character replacement tricks or malformed HTML.If your chart configuration comes from a trusted source like a static setup or pre-filtered HTML (or no markup at all in the configuration), you are not impacted.
Patches
In version 9, the whole rendering layer was refactored to use an DOMParser, an AST and tag and HTML allow-listing to make sure only safe content entered the DOM. In addition, prototype pollution was stopped.
Workarounds
Implementers who are not able to upgrade may apply DOMPurify recursively to the options structure to filter out malicious markup.
References
For more information
If you have any questions or comments about this advisory:
Release Notes
highcharts/highcharts-dist
### [`v9.0.0`](https://togithub.com/highcharts/highcharts-dist/compare/v8.2.2...v9.0.0) [Compare Source](https://togithub.com/highcharts/highcharts-dist/compare/v8.2.2...v9.0.0)Configuration
📅 Schedule: "" (UTC).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by WhiteSource Renovate. View repository job log here.