react-highcharts icon indicating copy to clipboard operation
react-highcharts copied to clipboard
verified publisher icon kirjs

Upgrade Highcharts - Cross Site Scripting vuln

Open rjensen-r7 opened this issue 5 years ago • 3 comments

Highcharts dependency needs to be upgraded to >= 8.1.1.

https://www.npmjs.com/advisories/1227 Overview Versions of highcharts prior to 8.1.1 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize href values and does not restrict URL schemes, allowing attackers to execute arbitrary JavaScript in a victim's browser if they click the link.

Remediation Upgrade to version 8.1.1 or later.

rjensen-r7 avatar Jun 09 '20 19:06 rjensen-r7

is anyone working on resolving this? @kirjs

lsiler-mdsol avatar Jun 16 '20 14:06 lsiler-mdsol

I'm also getting the same problem even for the latest version

Version installed: "highcharts": "^8.2.0", "react-highcharts": "^16.1.0",

┌───────────────┬──────────────────────────────────────────────────────────────┐ │ High │ Cross-Site Scripting │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ highcharts │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >=7.2.2 <8.0.0 || >=8.1.1 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ react-highcharts │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ react-highcharts > highcharts │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://npmjs.com/advisories/1227 │ └───────────────┴──────────────────────────────────────────────────────────────┘

Hope this will get fix sooner. :+1:

piyalcodes avatar Aug 27 '20 09:08 piyalcodes

There is an official HighchartsReact wrapper now, which might be the path forward: https://github.com/highcharts/highcharts-react

murb avatar Oct 21 '20 08:10 murb