Cross-site Scripting (XSS) - Generic in frappe/charts


Reported on

Jan 26th 2021


frappe-charts is vulnerable to Cross-Site Scripting (XSS) due to an incomplete fix

Steps To Reproduce

  1. Open the following codesandbox
  2. Use the payload "<img src=x onerror=alert(1)>" and place it in values: [25, "<img src=x onerror=alert(1)>"
  3. XSS payload will get executed.
to join this conversation