The react-visjs-timeline component is vulnerable to Cross Site Scripting (XSS). An attacker that is able to control the items of a Timeline element can inject additional script code into the generated application. The issue is actually caused by vis.js, which (to my knowledge) is currently unmaintained.
As the actual HTML code is generated by vis.js, the XSS protection from react.js don't apply here.
Package versions
react-visjs-timeline: 1.5.0
vis version: 4.20.1
Steps to reproduce
Add step by step guide to reproduce issue
Use the react-visjs-timeline demo application
Modify one of the items in the items array as follow: item<img src="xxx" onerror="alert(1234);" />
Start the demo application using npm start
Your browser should return a alert box with "1234"
Recommended solution
The best solution would be the usage of a maintained third party library like "DOMPurify" to clean the items from JavaScript code before they are actually passed to vis.js
Overview
The react-visjs-timeline component is vulnerable to Cross Site Scripting (XSS). An attacker that is able to control the items of a Timeline element can inject additional script code into the generated application. The issue is actually caused by vis.js, which (to my knowledge) is currently unmaintained.
As the actual HTML code is generated by vis.js, the XSS protection from react.js don't apply here.
Package versions
react-visjs-timeline: 1.5.0 vis version: 4.20.1
Steps to reproduce
Add step by step guide to reproduce issue
item<img src="xxx" onerror="alert(1234);" />npm startRecommended solution
The best solution would be the usage of a maintained third party library like "DOMPurify" to clean the items from JavaScript code before they are actually passed to vis.js