Closed BobGneu closed 7 months ago
Good day!
It looks like in zoom.js the type check at the head of the function is for an SVGElement, but it ought to be the SVGSVGElement.
zoom.js
SVGElement
SVGSVGElement
https://github.com/d3/d3-zoom/blob/main/src/zoom.js#L17-L28
Per the definition on the MDN this results in an opportunity for misuse to result in an element being passed in that is not the outermost SVG element.
https://developer.mozilla.org/en-US/docs/Web/API/SVGSVGElement https://developer.mozilla.org/en-US/docs/Web/API/SVGElement
Also noticed that the repo has not had its open PRs merged in in some time. If the there is a maintainer around and interest I can get a PR in for review later in the week. Looks like it should be a really quick changeset.
It seems that the code is correctly answering this on line 20 by switching to the ownerSVG, if any: e = e.ownerSVGElement || e;
e = e.ownerSVGElement || e;
Good day!
It looks like in
zoom.js
the type check at the head of the function is for anSVGElement
, but it ought to be theSVGSVGElement
.https://github.com/d3/d3-zoom/blob/main/src/zoom.js#L17-L28
Per the definition on the MDN this results in an opportunity for misuse to result in an element being passed in that is not the outermost SVG element.
https://developer.mozilla.org/en-US/docs/Web/API/SVGSVGElement https://developer.mozilla.org/en-US/docs/Web/API/SVGElement
Also noticed that the repo has not had its open PRs merged in in some time. If the there is a maintainer around and interest I can get a PR in for review later in the week. Looks like it should be a really quick changeset.