From d0f9bc5bcade5e6d0471fac1b623e7150fccb417 Mon Sep 17 00:00:00 2001 From: susiwen8 Date: Sat, 4 Apr 2020 12:34:40 +0800 Subject: [PATCH 1/3] Fix potential security risk --- src/chart/sunburst/SunburstView.js | 10 +++++++++- src/chart/treemap/TreemapView.js | 9 ++++++++- src/component/title.js | 20 ++++++++++++++++++-- 3 files changed, 35 insertions(+), 4 deletions(-) diff --git a/src/chart/sunburst/SunburstView.js b/src/chart/sunburst/SunburstView.js index 2d9d037e85..f18fb825e3 100644 --- a/src/chart/sunburst/SunburstView.js +++ b/src/chart/sunburst/SunburstView.js @@ -206,7 +206,15 @@ var SunburstView = ChartView.extend({ if (link) { var linkTarget = itemModel.get('target', true) || '_blank'; - window.open(link, linkTarget); + + if (linkTarget === '_blank' || linkTarget === 'blank') { + var blank = window.open(); + blank.opener = null; + blank.location = link; + } + else { + window.open(link, linkTarget); + } } } targetFound = true; diff --git a/src/chart/treemap/TreemapView.js b/src/chart/treemap/TreemapView.js index 2217507c3c..931d2fbc78 100644 --- a/src/chart/treemap/TreemapView.js +++ b/src/chart/treemap/TreemapView.js @@ -544,7 +544,14 @@ export default echarts.extendChartView({ var itemModel = node.hostTree.data.getItemModel(node.dataIndex); var link = itemModel.get('link', true); var linkTarget = itemModel.get('target', true) || 'blank'; - link && window.open(link, linkTarget); + if (link && (linkTarget === 'blank' || linkTarget === '_blank')) { + var blank = window.open(); + blank.opener = null; + blank.location = link; + } + else if (link) { + window.open(link, linkTarget); + } } } diff --git a/src/component/title.js b/src/component/title.js index 5dc5fff4c8..e6efe3882c 100644 --- a/src/component/title.js +++ b/src/component/title.js @@ -143,12 +143,28 @@ echarts.extendComponentView({ if (link) { textEl.on('click', function () { - window.open(link, '_' + titleModel.get('target')); + var target = titleModel.get('target'); + if (target === 'blank' || target === '_blank') { + var blank = window.open(); + blank.opener = null; + blank.location = link; + } + else { + window.open(link, '_' + titleModel.get('target')); + } }); } if (sublink) { subTextEl.on('click', function () { - window.open(sublink, '_' + titleModel.get('subtarget')); + var subTarget = titleModel.get('subtarget'); + if (subTarget === 'blank' || subTarget === '_blank') { + var blank = window.open(); + blank.opener = null; + blank.location = link; + } + else { + window.open(link, '_' + titleModel.get('subtarget')); + } }); } From da618e53aca4cce1645af3dcc2d05452fb92b7d6 Mon Sep 17 00:00:00 2001 From: susiwen8 Date: Sat, 4 Apr 2020 14:54:41 +0800 Subject: [PATCH 2/3] put window.open in util --- src/chart/sunburst/SunburstView.js | 10 ++-------- src/chart/treemap/TreemapView.js | 10 ++-------- src/component/title.js | 19 +++---------------- src/util/format.js | 18 +++++++++++++++++- 4 files changed, 24 insertions(+), 33 deletions(-) diff --git a/src/chart/sunburst/SunburstView.js b/src/chart/sunburst/SunburstView.js index f18fb825e3..ee83b631e8 100644 --- a/src/chart/sunburst/SunburstView.js +++ b/src/chart/sunburst/SunburstView.js @@ -21,6 +21,7 @@ import * as zrUtil from 'zrender/src/core/util'; import ChartView from '../../view/Chart'; import SunburstPiece from './SunburstPiece'; import DataDiffer from '../../data/DataDiffer'; +import {windowOpen} from '../../util/format'; var ROOT_TO_NODE_ACTION = 'sunburstRootToNode'; @@ -207,14 +208,7 @@ var SunburstView = ChartView.extend({ var linkTarget = itemModel.get('target', true) || '_blank'; - if (linkTarget === '_blank' || linkTarget === 'blank') { - var blank = window.open(); - blank.opener = null; - blank.location = link; - } - else { - window.open(link, linkTarget); - } + windowOpen(link, linkTarget); } } targetFound = true; diff --git a/src/chart/treemap/TreemapView.js b/src/chart/treemap/TreemapView.js index 931d2fbc78..f6ada55de6 100644 --- a/src/chart/treemap/TreemapView.js +++ b/src/chart/treemap/TreemapView.js @@ -28,6 +28,7 @@ import BoundingRect from 'zrender/src/core/BoundingRect'; import * as matrix from 'zrender/src/core/matrix'; import * as animationUtil from '../../util/animation'; import makeStyleMapper from '../../model/mixin/makeStyleMapper'; +import {windowOpen} from '../../util/format'; var bind = zrUtil.bind; var Group = graphic.Group; @@ -544,14 +545,7 @@ export default echarts.extendChartView({ var itemModel = node.hostTree.data.getItemModel(node.dataIndex); var link = itemModel.get('link', true); var linkTarget = itemModel.get('target', true) || 'blank'; - if (link && (linkTarget === 'blank' || linkTarget === '_blank')) { - var blank = window.open(); - blank.opener = null; - blank.location = link; - } - else if (link) { - window.open(link, linkTarget); - } + link && windowOpen(link, linkTarget); } } diff --git a/src/component/title.js b/src/component/title.js index e6efe3882c..1e06276486 100644 --- a/src/component/title.js +++ b/src/component/title.js @@ -21,6 +21,7 @@ import * as zrUtil from 'zrender/src/core/util'; import * as echarts from '../echarts'; import * as graphic from '../util/graphic'; import {getLayoutRect} from '../util/layout'; +import {windowOpen} from '../util/format'; // Model echarts.extendComponentModel({ @@ -144,27 +145,13 @@ echarts.extendComponentView({ if (link) { textEl.on('click', function () { var target = titleModel.get('target'); - if (target === 'blank' || target === '_blank') { - var blank = window.open(); - blank.opener = null; - blank.location = link; - } - else { - window.open(link, '_' + titleModel.get('target')); - } + windowOpen(link, target); }); } if (sublink) { subTextEl.on('click', function () { var subTarget = titleModel.get('subtarget'); - if (subTarget === 'blank' || subTarget === '_blank') { - var blank = window.open(); - blank.opener = null; - blank.location = link; - } - else { - window.open(link, '_' + titleModel.get('subtarget')); - } + windowOpen(link, subTarget); }); } diff --git a/src/util/format.js b/src/util/format.js index d499d52744..eadb26a7d1 100644 --- a/src/util/format.js +++ b/src/util/format.js @@ -23,7 +23,7 @@ import * as numberUtil from './number'; // import Text from 'zrender/src/graphic/Text'; /** - * 每三位默认加,格式化 + * add commas after every three numbers * @param {string|number} x * @return {string} */ @@ -275,3 +275,19 @@ export function getTextRect( text, font, textAlign, textVerticalAlign, textPadding, textLineHeight, rich, truncate ); } + +/** + * open new tab + * @param {string} link url + * @param {string} target blank or self + */ +export function windowOpen(link, target) { + if (target === '_blank' || target === 'blank') { + var blank = window.open(); + blank.opener = null; + blank.location = link; + } + else { + window.open(link, target); + } +} From 8cd07898bffd76f8c511da097318a696adc79706 Mon Sep 17 00:00:00 2001 From: susiwen8 Date: Sat, 4 Apr 2020 15:07:12 +0800 Subject: [PATCH 3/3] align with previous --- src/chart/sunburst/SunburstView.js | 1 - src/component/title.js | 6 ++---- 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/src/chart/sunburst/SunburstView.js b/src/chart/sunburst/SunburstView.js index ee83b631e8..528bb85cd2 100644 --- a/src/chart/sunburst/SunburstView.js +++ b/src/chart/sunburst/SunburstView.js @@ -207,7 +207,6 @@ var SunburstView = ChartView.extend({ if (link) { var linkTarget = itemModel.get('target', true) || '_blank'; - windowOpen(link, linkTarget); } } diff --git a/src/component/title.js b/src/component/title.js index 1e06276486..94a30a2e40 100644 --- a/src/component/title.js +++ b/src/component/title.js @@ -144,14 +144,12 @@ echarts.extendComponentView({ if (link) { textEl.on('click', function () { - var target = titleModel.get('target'); - windowOpen(link, target); + windowOpen(link, '_' + titleModel.get('target')); }); } if (sublink) { subTextEl.on('click', function () { - var subTarget = titleModel.get('subtarget'); - windowOpen(link, subTarget); + windowOpen(link, '_' + titleModel.get('subtarget')); }); }