lsiler-mdsol
commented
4 years ago is anyone working on resolving this? @kirjs
Open rjensen-r7 opened 4 years ago
lsiler-mdsol
commented
4 years ago is anyone working on resolving this? @kirjs
piyalcodes
commented
4 years ago I'm also getting the same problem even for the latest version
Version installed: "highcharts": "^8.2.0", "react-highcharts": "^16.1.0",
┌───────────────┬──────────────────────────────────────────────────────────────┐ │ High │ Cross-Site Scripting │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ highcharts │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >=7.2.2 <8.0.0 || >=8.1.1 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ react-highcharts │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ react-highcharts > highcharts │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://npmjs.com/advisories/1227 │ └───────────────┴──────────────────────────────────────────────────────────────┘
Hope this will get fix sooner. :+1:
murb
commented
4 years ago There is an official HighchartsReact wrapper now, which might be the path forward: https://github.com/highcharts/highcharts-react
Highcharts dependency needs to be upgraded to >= 8.1.1.
https://www.npmjs.com/advisories/1227 Overview Versions of highcharts prior to 8.1.1 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize href values and does not restrict URL schemes, allowing attackers to execute arbitrary JavaScript in a victim's browser if they click the link.
Remediation Upgrade to version 8.1.1 or later.