Skip to content

Fix XSS in trace name on hover #1307

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jan 17, 2017
Merged

Fix XSS in trace name on hover #1307

merged 2 commits into from
Jan 17, 2017

Conversation

etpinard
Copy link
Contributor

Report:

  • make a scatter plot with at least two traces
  • edit the name of one of the traces (in the legend) to: <img src=x onerror=console.log('hi')>
  • hover over any point in the trace with the bad name, the console.log will execute.
  • for bonus points, hide that trace name from the legend, and make that trace look like it's part of (or all of!) another trace - the user will see nothing.

@etpinard etpinard added status: reviewable bug something broken labels Jan 17, 2017
@etpinard etpinard added this to the v1.22.0 milestone Jan 17, 2017
@etpinard
Copy link
Contributor Author

cc @alexcjohnson

@alexcjohnson
Copy link
Collaborator

💃

@etpinard etpinard merged commit 9b7c18f into master Jan 17, 2017
@etpinard etpinard deleted the hover-fix-xss branch January 17, 2017 18:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
bug something broken
Projects
None yet
Milestone
v1.22.0
Development

Successfully merging this pull request may close these issues.
2 participants
@etpinard @alexcjohnson