From d2174725a95feaaa7f49140eaa64c94e6e3a3e09 Mon Sep 17 00:00:00 2001
From: Alex Chambers_Jones <alexcj2802@gmail.com>
Date: Fri, 29 Oct 2021 17:59:02 +0100
Subject: [PATCH] Fixed reflected XSS described in issue 1265

---
 src/core/lib/Charts.mjs              | 3 ++-
 src/core/operations/ScatterChart.mjs | 2 +-
 src/core/operations/SeriesChart.mjs  | 5 ++++-
 3 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/src/core/lib/Charts.mjs b/src/core/lib/Charts.mjs
index 93bf32f6..6cb63f60 100644
--- a/src/core/lib/Charts.mjs
+++ b/src/core/lib/Charts.mjs
@@ -6,6 +6,7 @@
  */
 
 import OperationError from "../errors/OperationError.mjs";
+import Utils from "../Utils.mjs";
 
 /**
  * @constant
@@ -128,7 +129,7 @@ export function getScatterValuesWithColour(input, recordDelimiter, fieldDelimite
         if (Number.isNaN(x)) throw new OperationError("Values must be numbers in base 10.");
         if (Number.isNaN(y)) throw new OperationError("Values must be numbers in base 10.");
 
-        return [x, y, colour];
+        return [x, y, Utils.escapeHtml(colour)];
     });
 
     return { headings, values };
diff --git a/src/core/operations/ScatterChart.mjs b/src/core/operations/ScatterChart.mjs
index fe15f610..fc0caf03 100644
--- a/src/core/operations/ScatterChart.mjs
+++ b/src/core/operations/ScatterChart.mjs
@@ -87,7 +87,7 @@ class ScatterChart extends Operation {
         const recordDelimiter = Utils.charRep(args[0]),
             fieldDelimiter = Utils.charRep(args[1]),
             columnHeadingsAreIncluded = args[2],
-            fillColour = args[5],
+            fillColour = Utils.escapeHtml(args[5]),
             radius = args[6],
             colourInInput = args[7],
             dimension = 500;
diff --git a/src/core/operations/SeriesChart.mjs b/src/core/operations/SeriesChart.mjs
index 7a21953e..85979703 100644
--- a/src/core/operations/SeriesChart.mjs
+++ b/src/core/operations/SeriesChart.mjs
@@ -72,7 +72,10 @@ class SeriesChart extends Operation {
             fieldDelimiter = Utils.charRep(args[1]),
             xLabel = args[2],
             pipRadius = args[3],
-            seriesColours = args[4].split(","),
+            // Escape HTML from all colours to prevent reflected XSS. See https://github.com/gchq/CyberChef/issues/1265
+            seriesColours = args[4].split(",").map((colour) => {
+                return Utils.escapeHtml(colour)
+            }),
             svgWidth = 500,
             interSeriesPadding = 20,
             xAxisHeight = 50,