[Feature] 提示的 formatter 方法的 XSS 风险建议能统一处理或者提供文档提示/Tooltip formatter XSS risk unified handling / warning #21276
Description
ECharts 的 tooltip formatter 在直接插入用户定义的数据(如 name 或 value)到 HTML 时存在严重 XSS 风险。虽然官方已在 issue #14429 提供了 encodeHTML 方法,但开发者在实际使用中往往难以察觉风险,因为现代前端框架(如 React)会在有 XSS 风险时给予明确警告(如 dangerouslySetInnerHTML),而 ECharts 的 formatter 场景下很容易被忽略,存在安全隐患。
建议:
- 优先分析 ECharts 是否能在底层统一处理 tooltip formatter 的 XSS 风险,比如自动 HTML 编码用户数据。
- 若无法统一处理,建议官方在文档、API 注释及运行时增加显著的安全警告(如 console warning),帮助开发者及时识别和规避此问题。
代码示例:
// 存在安全隐患
formatter: params => {
const { name, value } = params;
return `${name}, <b>${value}<b/>`; // 若 name/value 恶意,可 XSS
}
// 安全写法
formatter: params => {
const { name, value } = params;
return `${echarts.encodeHTML(name)}, <b>${echarts.encodeHTML(value)}<b/>`;
}———
ECharts tooltip formatter poses a serious XSS risk when user-defined data (like name or value) is directly inserted into HTML. Although encodeHTML was provided (see issue #14429), most developers are unaware of this risk, as modern frameworks (e.g., React) provide explicit warnings when handling raw HTML (like dangerouslySetInnerHTML). In ECharts, however, this risk is hidden and easily overlooked, leading to possible security breaches.
Suggestions:
- First, analyze if ECharts can provide unified XSS handling at the framework level, such as auto-encoding user data in tooltip formatter.
- If not possible, please add clear warnings about XSS risks in documentation, API comments, and runtime console warnings; this will help developers recognize and avoid this issue.
Code Sample:
// Vulnerable
formatter: params => {
const { name, value } = params;
return `${name}, <b>${value}<b/>`; // XSS risk if name/value is malicious
}
// Safe
formatter: params => {
const { name, value } = params;
return `${echarts.encodeHTML(name)}, <b>${echarts.encodeHTML(value)}<b/>`;
}