Upgrade Highcharts - Cross Site Scripting vuln
rjensen-r7 opened this issue · comments
Highcharts dependency needs to be upgraded to >= 8.1.1.
https://www.npmjs.com/advisories/1227
Overview
Versions of highcharts prior to 8.1.1 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize href values and does not restrict URL schemes, allowing attackers to execute arbitrary JavaScript in a victim's browser if they click the link.
Remediation
Upgrade to version 8.1.1 or later.
is anyone working on resolving this? @kirjs
I'm also getting the same problem even for the latest version
Version installed:
"highcharts": "^8.2.0",
"react-highcharts": "^16.1.0",
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Cross-Site Scripting │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ highcharts │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=7.2.2 <8.0.0 || >=8.1.1 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-highcharts │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ react-highcharts > highcharts │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1227 │
└───────────────┴──────────────────────────────────────────────────────────────┘
Hope this will get fix sooner. 👍
There is an official HighchartsReact wrapper now, which might be the path forward: https://github.com/highcharts/highcharts-react