This is an automated email from the ASF dual-hosted git repository. plainheart pushed a commit to branch fix/lines-tooltip-xss in repository https://gitbox.apache.org/repos/asf/echarts.git
commit c69f6588265fd5e627ce7a3329a1c6bd40f10764 Author: plainheart <[email protected]> AuthorDate: Sat May 9 01:27:56 2026 +0800 fix(lines): fix potential tooltip XSS vulnerability in lines series --- src/chart/lines/LinesSeries.ts | 21 +++++---- test/tooltip-xss.html | 103 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 115 insertions(+), 9 deletions(-) diff --git a/src/chart/lines/LinesSeries.ts b/src/chart/lines/LinesSeries.ts index 3c23c1584..bb35b6fdf 100644 --- a/src/chart/lines/LinesSeries.ts +++ b/src/chart/lines/LinesSeries.ts @@ -337,19 +337,22 @@ class LinesSeriesModel extends SeriesModel<LinesSeriesOption> { dataType: string ) { const data = this.getData(); + const value = this.getRawValue(dataIndex); const itemModel = data.getItemModel<LinesDataItemOption>(dataIndex); - const name = itemModel.get('name'); - if (name) { - return name; + let itemName = itemModel.get('name'); + if (!itemName) { + const fromName = itemModel.get('fromName'); + const toName = itemModel.get('toName'); + const nameArr = []; + fromName != null && nameArr.push(fromName); + toName != null && nameArr.push(toName); + itemName = nameArr.join(' > '); } - const fromName = itemModel.get('fromName'); - const toName = itemModel.get('toName'); - const nameArr = []; - fromName != null && nameArr.push(fromName); - toName != null && nameArr.push(toName); return createTooltipMarkup('nameValue', { - name: nameArr.join(' > ') + name: itemName, + value, + noValue: value == null || isNaN(value as number) }); } diff --git a/test/tooltip-xss.html b/test/tooltip-xss.html new file mode 100644 index 000000000..f14582b9f --- /dev/null +++ b/test/tooltip-xss.html @@ -0,0 +1,103 @@ +<!DOCTYPE html> +<!-- +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, +software distributed under the License is distributed on an +"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +KIND, either express or implied. See the License for the +specific language governing permissions and limitations +under the License. +--> + + +<html> + <head> + <meta charset="utf-8"> + <meta name="viewport" content="width=device-width, initial-scale=1" /> + <script src="lib/simpleRequire.js"></script> + <script src="lib/config.js"></script> + <script src="lib/facePrint.js"></script> + <script src="lib/testHelper.js"></script> + <!-- <script src="lib/canteen.js"></script> --> + <!-- <script src="lib/draggable.js"></script> --> + <link rel="stylesheet" href="lib/reset.css" /> + </head> + <body> + <style> + html { + /* Fix the line-height to integer to avoid it varying across clients and + causing visual test failures. Some clients may not support fractional px. */ + line-height: 18px; + } + </style> + + <div id="main0"></div> + + <script> + require([ + 'echarts', + 'map/js/world' + ], function (echarts) { + var option = { + tooltip: { trigger: 'item' }, + geo: { map: 'world' }, + series: { + type: 'lines', + coordinateSystem: 'geo', + data: [ + { + name: '<img src="x" onerror="onXSSTriggered(1)"/>', + coords: [ + [110, -80], + [111, 80] + ], + value: 800 + }, + { + name: '<img src="x" onerror="onXSSTriggered(2)"/>', + coords: [ + [100, -80], + [101, 80] + ], + value: NaN + } + ], + // tooltip: { + // valueFormatter: v => v + ' unit' + // } + } + }; + window.onXSSTriggered = function () { + console.error('XSS triggered!'); + chart.getDom().innerHTML = '<center style="margin-top:20px;color:red">XSS triggered</center>'; + }; + + var chart = testHelper.create(echarts, 'main0', { + title: [ + 'Hover the vertical line to see tooltip', + '(SHOULD **NOT** see the red "XSS triggered" text)' + ], + option: option + }); + chart.dispatchAction({ + type: 'showTip', + seriesIndex: 0, + dataIndex: 0, + position: ['50%', '50%'] + }); + }); + </script> + + + </body> +</html> + --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
