Cross-Site Scripting (XSS) : issue fix by sanitizing strings before rendering

[d3v53c]

📊 Metadata *

zingchart-react is vulnerable to Cross-Site Scripting (XSS).

Bounty URL: https://www.huntr.dev/bounties/1-npm-zingchart-react

⚙️ Description *

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.

💻 Technical Description *

Cross-Site Scripting (XSS) attacks are mitigated by sanitizing the user inputs before rendering, thereby preventing malicious execution.

🐛 Proof of Concept (PoC) *

Open https://github.com/zingchart/zingchart-react
Open link in about https://www.zingchart.com/docs/integrations/react
Open in Sandbox https://codesandbox.io/s/zingchart-react-wrapper-example-dxfc9?from-embed
Insert the xss payload in any of the values field in series in Simple.jsx. EX:

values: [4, '><img src=x onerror=alert(1)>', 3, 4, 5, 3, 5, 4, 11]

XSS payload will get executed.

🔥 Proof of Fix (PoF) *

Before:

After:

👍 User Acceptance Testing (UAT)

After the fix, functionality is unaffected.

[Mik317]

LGTM 😄 🍰
Sorry for late reply 👍

Cheers,
Mik

[mzfr]

LGTM!! 🙂

[huntr-helper]

Congratulations d3v53c - your fix has been selected! 🎉

Thanks for being part of the community & helping secure the world's open source code.
If you have any questions, please respond in the comments section, or hit us up on Discord. Your bounty is on its way - keep hunting!

Come join us on Discord