[I] [Feature] Tooltip formatter XSS risk needs warning/documentation improvement | 提示框 formatter 方法需加强 XSS 风险警告/文档 [echarts]

[via GitHub]

atbeta opened a new issue, #21276:
URL: https://github.com/apache/echarts/issues/21276

   ### What problem does this feature solve?
   
   English:
   The ECharts tooltip formatter presents a serious XSS risk if user-provided 
data (such as name or value) is inserted directly into HTML. Although issue 
#14429 and the encodeHTML utility method have been discussed/provided, 
developers are often unaware of this risk because most modern frameworks 
(React, etc.) provide explicit warnings when there is XSS potential (e.g. 
dangerousIySetInnerHTML). In ECharts, however, tooltip formatter exposes this 
risk without any visible indication, making it easy for users to overlook. This 
is dangerous as XSS can lead to major security breaches. We recommend ECharts 
provide clear warnings either in documentation, API comments, or runtime 
console warnings to help users recognize and mitigate this risk.
   
   中文:
   ECharts 的 tooltip formatter 在直接插入用户定义的数据（如 name 或 value）到 HTML 时存在严重 XSS 
风险。虽然官方在 issue #14429 中已讨论并提供了 encodeHTML 方法，但在实际开发中，开发者往往难以察觉此风险，因为像 React 
等现代框架通常会在有 XSS 风险时给予明确警告（如 dangerousIySetInnerHTML）。但在 ECharts 的 tooltip 
formatter 场景下，用户几乎无法感知风险，容易被忽略。鉴于 XSS 攻击可能导致严重安全问题，建议 ECharts 官方在文档、API 
注释或运行时通过 console warning 等方式给予明确提示，帮助开发者识别和规避风险。
   
   ### What does the proposed API look like?
   
   English:
   Potential solutions include:
   - Adding security-focused documentation around tooltip formatter, 
highlighting XSS risks.
   - Adding explicit API comments/warnings.
   - Adding runtime console warnings if formatter returns interpolated HTML.
   
   Sample vulnerable code:
   ```js
   formatter: params => {
     const { name, value } = params;
     return `${name}, <b>${value}<b/>`;
   }
   // If name or value is `<img src=1 onerror=alert(1)>`, XSS occurs!
   ```
   
   Sample mitigation:
   ```js
   formatter: params => {
     const { name, value } = params;
     return `${echarts.encodeHTML(name)}, <b>${echarts.encodeHTML(value)}<b/>`;
   }
   ```
   
   中文:
   可行的优化方式包括：
   - 在 tooltip formatter 相关文档中高亮 XSS 风险及防范方法。
   - 在 API 注释里增加安全警告。
   - 在运行时，如 formatter 返回未编码的 HTML，可通过 console warning 主动提示。
   
   存在安全隐患的代码示例：
   ```js
   formatter: params => {
     const { name, value } = params;
     return `${name}, <b>${value}<b/>`;
   }
   // 若 name 或 value 为 `<img src=1 onerror=alert(1)>`，会触发 XSS！
   ```
   
   安全写法举例：
   ```js
   formatter: params => {
     const { name, value } = params;
     return `${echarts.encodeHTML(name)}, <b>${echarts.encodeHTML(value)}<b/>`;
   }
   ```


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@echarts.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@echarts.apache.org
For additional commands, e-mail: commits-h...@echarts.apache.org