Security Fix for Cross-site Scripting (XSS) - huntr.dev#315
Merged
Conversation
Security fix for Cross-Site Scripting Vulnerability in frappe-charts
Contributor
|
@pratu16x7 @scmmishra - let me know if you have any thoughts or questions, cheers! 🍰 |
Contributor
|
@JamieSlome @huntr-helper Can you please follow the PR template. I see a lot of irrelevant links to your site, while I appreciate the spirit of your contribution, I'd like the PR description to be on point only. |
Contributor
|
$25 Stonks |
Contributor
|
@scmmishra, if you want more security fixes and patches like this in the future, you can let security researchers know that they can win bounties protecting your repository by copying this small code snippet into your README.md:
👇 👇 👇 |
Merged
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
https://huntr.dev/users/arjunshibu has fixed the Cross-site Scripting (XSS) vulnerability 🔨. arjunshibu has been awarded $25 for fixing the vulnerability through the huntr bug bounty program 💵. Think you could fix a vulnerability like this?
Get involved at https://huntr.dev/
Q | A
Version Affected | ALL
Bug Fix | YES
Original Pull Request | 418sec#1
GitHub Issue | #313
Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/npm/frappe-charts/1/README.md
User Comments:
📊 Metadata *
frappe-chartsis vulnerable toCross-Site Scripting (XSS).Bounty URL: https://www.huntr.dev/bounties/1-npm-frappe-charts
⚙️ Description *
Cross-Site Scripting (XSS)attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.💻 Technical Description *
While rendering charts, the package is validating all object fields except
nameindatasetsarray, this allows malicious code execution. The fix is implemented by properly validatingnamefield to escape malicious characters.🐛 Proof of Concept (PoC) *
Steps To Reproduce
><img/	  src=~ onerror=alert('XSS')>and place it inname.References
🔥 Proof of Fix (PoF) *
+1 User Acceptance Testing (UAT)