From d2174725a95feaaa7f49140eaa64c94e6e3a3e09 Mon Sep 17 00:00:00 2001 From: Alex Chambers_Jones Date: Fri, 29 Oct 2021 17:59:02 +0100 Subject: [PATCH] Fixed reflected XSS described in issue 1265 --- src/core/lib/Charts.mjs | 3 ++- src/core/operations/ScatterChart.mjs | 2 +- src/core/operations/SeriesChart.mjs | 5 ++++- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/src/core/lib/Charts.mjs b/src/core/lib/Charts.mjs index 93bf32f6..6cb63f60 100644 --- a/src/core/lib/Charts.mjs +++ b/src/core/lib/Charts.mjs @@ -6,6 +6,7 @@ */ import OperationError from "../errors/OperationError.mjs"; +import Utils from "../Utils.mjs"; /** * @constant @@ -128,7 +129,7 @@ export function getScatterValuesWithColour(input, recordDelimiter, fieldDelimite if (Number.isNaN(x)) throw new OperationError("Values must be numbers in base 10."); if (Number.isNaN(y)) throw new OperationError("Values must be numbers in base 10."); - return [x, y, colour]; + return [x, y, Utils.escapeHtml(colour)]; }); return { headings, values }; diff --git a/src/core/operations/ScatterChart.mjs b/src/core/operations/ScatterChart.mjs index fe15f610..fc0caf03 100644 --- a/src/core/operations/ScatterChart.mjs +++ b/src/core/operations/ScatterChart.mjs @@ -87,7 +87,7 @@ class ScatterChart extends Operation { const recordDelimiter = Utils.charRep(args[0]), fieldDelimiter = Utils.charRep(args[1]), columnHeadingsAreIncluded = args[2], - fillColour = args[5], + fillColour = Utils.escapeHtml(args[5]), radius = args[6], colourInInput = args[7], dimension = 500; diff --git a/src/core/operations/SeriesChart.mjs b/src/core/operations/SeriesChart.mjs index 7a21953e..85979703 100644 --- a/src/core/operations/SeriesChart.mjs +++ b/src/core/operations/SeriesChart.mjs @@ -72,7 +72,10 @@ class SeriesChart extends Operation { fieldDelimiter = Utils.charRep(args[1]), xLabel = args[2], pipRadius = args[3], - seriesColours = args[4].split(","), + // Escape HTML from all colours to prevent reflected XSS. See https://github.com/gchq/CyberChef/issues/1265 + seriesColours = args[4].split(",").map((colour) => { + return Utils.escapeHtml(colour) + }), svgWidth = 500, interSeriesPadding = 20, xAxisHeight = 50,