Cross-site Scripting (XSS) - Generic in frappe/charts
Valid
Reported on
Jan 26th 2021
Description
frappe-charts
is vulnerable to Cross-Site Scripting (XSS)
due to an incomplete fix https://github.com/frappe/charts/commit/d5706a501b44fce6949216b635ed6c5e785c471d.
Steps To Reproduce
- Open the following codesandbox https://codesandbox.io/s/frappe-charts-demo-forked-40w0f?file=/src/index.js
- Use the payload
"<img src=x onerror=alert(1)>"
and place it invalues: [25, "<img src=x onerror=alert(1)>"
- XSS payload will get executed.
to join this conversation