Skip to content

fix(lines): fix potential tooltip XSS vulnerability in lines series#21608

Merged
100pah merged 1 commit intoreleasefrom
fix/lines-tooltip-xss
May 8, 2026
Merged

fix(lines): fix potential tooltip XSS vulnerability in lines series#21608
100pah merged 1 commit intoreleasefrom
fix/lines-tooltip-xss

Conversation

@plainheart
Copy link
Copy Markdown
Member

@plainheart plainheart commented May 8, 2026

Brief Information

This pull request is in the type of:

  • bug fixing
  • new feature
  • others

What does this PR do?

Fix potential tooltip XSS vulnerability in lines series.

Comparison

Before After
image image

Document Info

One of the following should be checked.

  • This PR doesn't relate to document changes
  • The document should be updated later
  • The document changes have been made in apache/echarts-doc#xxx

Misc

Security Checking

  • This PR uses security-sensitive Web APIs.

ZRender Changes

  • This PR depends on ZRender changes (ecomfe/zrender#xxx).

Related test cases or examples to use the new APIs

See test/tooltip-xss.html

Merging options

  • Please squash the commits into a single one when merging.

Other information

@plainheart plainheart requested review from 100pah and Copilot May 8, 2026 17:40
Copilot AI reviewed May 8, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses a potential tooltip XSS injection vector in the lines series by ensuring line item names are rendered via the tooltip markup builder (which HTML-encodes content) rather than being returned as raw HTML.

Changes:

  • Update LinesSeriesModel.formatTooltip to always return a nameValue tooltip markup block, using the item name or a fromName > toName fallback and correctly suppressing display when the value is missing/NaN.
  • Add a manual repro test page (test/tooltip-xss.html) that attempts to inject an <img onerror=...> payload via data.name.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
src/chart/lines/LinesSeries.ts Routes line tooltip content through createTooltipMarkup('nameValue', ...) so names are HTML-encoded and values are handled consistently.
test/tooltip-xss.html Adds a manual test case to verify tooltip rendering does not execute injected HTML/JS from line item names.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@plainheart plainheart modified the milestones: 6.1.1, 6.1.0 May 8, 2026
@100pah 100pah merged commit 1e39b00 into release May 8, 2026
6 checks passed
@100pah 100pah deleted the fix/lines-tooltip-xss branch May 8, 2026 17:57
@l3tchupkt
Copy link
Copy Markdown

l3tchupkt commented May 9, 2026

Thank you for the quick fix and review.
I appreciate the prompt response and the addition of the regression test for the issue.

Glad to help improve the security of Apache ECharts.

@l3tchupkt

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@100pah 100pah 100pah approved these changes

Assignees

No one assigned

Labels

size/S

Projects

None yet

Milestone

6.1.0

Development

Successfully merging this pull request may close these issues.

4 participants

@plainheart @l3tchupkt @100pah