Ticket #2531468 (closed defect)
Reporter  Ryan Grove |
Opened: 11/21/11 Last modified: 05/10/12 Status: closed Type: defect Resolution: fixed |
Owner Tripp Bridges |
Target Release: 3.5.0 Priority: P1 (critical) |
|---|---|---|---|
| Summary: | Axis: `title` attribute should either be renamed `titleHTML` or should not be passed to innerHTML | ||
| Description: | In Axis.js on line 468, the value of the Axis instance's `title` attribute is passed directly to innerHTML: http://yuilibrary.com/yui/docs/api/files/charts_js_Axis.js.html#l468 This is a potential security issue if the title attribute contains a user-supplied string. If titles don't need to support HTML, then the title should be appended safely to titleTextNode as a DOM text node (https://developer.mozilla.org/en/DOM:document.createTextNode) rather than as HTML. |
||
| Type: | defect | Observed in Version: | 3.4.1 |
| Component: | Charts | Severity: | S1 (critical) |
| Assigned To: | Tripp Bridges | Target Release: | 3.5.0 |
| Location: | Library Code | Priority: | P1 (critical) |
| Tags: | security | Relates To: | #2531476 |
| Browsers: | N/A | ||
| URL: | |||
| Test Information: | |||
Change History
|
Posted: 11/21/11
|
|
Posted: 11/22/11
|
|
Posted: 11/28/11
Update based on a discussion with Matt: Please ensure that the data type of the "title" attribute in the API docs is "HTML". The API doc skin itself can then provide the necessary boilerplate warning about using Y.Escape.html(), etc. There's no need to rename the attribute as long as the data type is updated. |
|
Posted: 12/14/11
|
|
Posted: 01/29/12
|
|
Posted: 01/29/12
Titles are no longer attached with innerHTML. I added an appendTitleFunction attribute which is a function that attaches the title with appendChild. The attribute can be overridden with a different function if necessary. |
|
Posted: 05/10/12
checkedin -> closed |
|
Posted: 05/10/12
checkedin -> closed |
Adding a reference to a discussion on attribute deprecation/aliasing: http://yuilibrary.com/projects/yui3/ticket/2531476