search

jgraph / mxgraph

mxGraph is a fully client side JavaScript diagramming library
Other
6.83k stars 2.06k forks source link

Cross-Site Scripting: DOM #426

Closed qiank128 closed 4 years ago

qiank128 commented 4 years ago

Abstract:

The method popup() in mxClient.min.js sends unvalidated data to a web browser on line 89, which can result in the browser executing malicious code.

alderg commented 4 years ago

All HTML Entities are converted in the output.

davidjgraph commented 4 years ago

@qiank128 Without an exact reproduction case we'll have to close this. You are welcome to submit such a case and we'll consider it.