Security Fix for Cross-site Scripting (XSS) - huntr.dev

[huntr-helper]

https://huntr.dev/users/arjunshibu has fixed the Cross-site Scripting (XSS) vulnerability 🔨. arjunshibu has been awarded $25 for fixing the vulnerability through the huntr bug bounty program 💵. Think you could fix a vulnerability like this?

Get involved at https://huntr.dev/

Q | A Version Affected | ALL Bug Fix | YES Original Pull Request | https://github.com/418sec/charts/pull/1 GitHub Issue | https://github.com/frappe/charts/issues/313 Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/npm/frappe-charts/1/README.md

User Comments:

:bar_chart: Metadata *

frappe-charts is vulnerable to Cross-Site Scripting (XSS).

Bounty URL: https://www.huntr.dev/bounties/1-npm-frappe-charts

:gear: Description *

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.

:computer: Technical Description *

While rendering charts, the package is validating all object fields except name in datasets array, this allows malicious code execution. The fix is implemented by properly validating name field to escape malicious characters.

:bug: Proof of Concept (PoC) *

Steps To Reproduce

• Open NPM repo https://www.npmjs.com/package/frappe-charts
• Open the Explore demos https://frappe.io/charts
• At the bottom find the sandbox Ref: https://codesandbox.io/s/frappe-charts-demo-viqud?from-embed=&file=/src/index.js
• Use the payload ><img/&#09;&#10;&#11; src=~ onerror=alert('XSS')> and place it in name.
• XSS payload will get executed.

References

:fire: Proof of Fix (PoF) *

• Before fix
• After fix, Cross-Site Scripting is prevented.

+1 User Acceptance Testing (UAT)

• I've executed unit tests.
• After fix the functionality is unaffected.

[JamieSlome]

@pratu16x7 @scmmishra - let me know if you have any thoughts or questions, cheers! 🍰

[scmmishra]

@JamieSlome @huntr-helper Can you please follow the PR template. I see a lot of irrelevant links to your site, while I appreciate the spirit of your contribution, I'd like the PR description to be on point only.

[GrosSacASac]

$25 Stonks

[JamieSlome]

@scmmishra, if you want more security fixes and patches like this in the future, you can let security researchers know that they can win bounties protecting your repository by copying this small code snippet into your README.md:

[![huntr](https://cdn.huntr.dev/huntr_security_badge_mono.svg)](https://huntr.dev)

👇 👇 👇