search

vaadin / charts

Framework 8 version of Vaadin Charts
Other
54 stars 84 forks source link

Serialize all String properties as sanitized HTML #621

Closed alvarezguille closed 3 years ago

alvarezguille commented 3 years ago

This should be done for all strings except for functions to prevent js unwanted js executions when rendering the chart

raphaelgurtner commented 2 years ago

This seems to break certain things when using js point formatting functions (see example in screenshots). Charts 4.2.1 produces the (correct) html whereas 4.3 removes all html table/style elements even though js functions should apparently not be sanitized

Screenshot 2021-12-12 at 23 28 18

The java code used for the example above:

public void setChartTooltip(Tooltip tooltip, String unit) {
        tooltip.setPointFormatter("function() { "
                + "var tipTxt = '<tr><td style=\"color: ' + this.series.color + '\">' + this.series.name + ': </td><td style=\"text-align: right\"><b>' + Math.round(this.y * 100) / 100;"
                + "if( this.series.name.indexOf('abc') >= 0 ) tipTxt = tipTxt + ' %</b></td></tr>'; else tipTxt = tipTxt + ' "
                + unit + "</b></td></tr>';"
                + "if( this.series.name != 'dates' && this.series.name.indexOf('xyz') < 0 ) return tipTxt; "
                + "else if( this.series.name.indexOf('xyz') >= 0 ) return ': ' + this.id;" + "}");
    }

Is this an intentional regression?