orbisai0security opened a new pull request, #21596: URL: https://github.com/apache/echarts/pull/21596
## Summary Fix high severity security issue in `dist/echarts.esm.mjs`. ## Vulnerability | Field | Value | |-------|-------| | **ID** | V-001 | | **Severity** | HIGH | | **Scanner** | multi_agent_ai | | **Rule** | `V-001` | | **File** | `dist/echarts.esm.mjs:19058` | **Description**: ECharts accepts chart configuration objects via setOption(), which are processed by normalizeSetOptionInput(). String values within these options — including series names, axis labels, tooltip formatter output, and rich text content — are rendered into the DOM via innerHTML or SVG text nodes without consistent HTML sanitization. Any application that incorporates user-supplied or externally sourced data into chart options is vulnerable. This is an extremely common pattern in dashboards, analytics platforms, and multi-tenant SaaS products. ## Changes - `src/component/tooltip/TooltipHTMLContent.ts` - `dist/echarts.esm.mjs` ## Verification - [x] Build passes - [x] Scanner re-scan confirms fix - [x] LLM code review passed --- *Automated security fix by [OrbisAI Security](https://orbisappsec.com)* -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
