Merge pull request #14087 from apache/fix/encodehtml Fix: add encodeHTML to avoid xss rishk

commit: 5b4a21135edfef7b1bde264537ce42b05761a670 [log] [tgz]
author: sushuang <sushuang0322@gmail.com> Thu Jan 21 15:33:48 2021 +0800
committer: GitHub <noreply@github.com> Thu Jan 21 15:33:48 2021 +0800
tree: 5531d204104718b791cbc489adc84fca51a011b7
parent: 392d94dca211851b824d5c533a55e47d87154021 [diff]
parent: 97db80ac62988ea5cd7db68962d24312eeab57b6 [diff]
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index d0853e6..92ba606 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md

@@ -21,7 +21,7 @@
 
 When opening new issues, please use the [echarts issue helper](https://ecomfe.github.io/echarts-issue-helper/), opening issues in any other way will cause our bot to close them automatically.
 
-And before doing so, please search for similar questions in our [issues list](https://github.com/apache/incubator-echarts/issues?utf8=%E2%9C%93&q=is%3Aissue). If you are able to reproduce an issue found in a closed issue, please create a new issue and reference the closed one.
+And before doing so, please search for similar questions in our [issues list](https://github.com/apache/echarts/issues?utf8=%E2%9C%93&q=is%3Aissue). If you are able to reproduce an issue found in a closed issue, please create a new issue and reference the closed one.
 
 Please read the [documentation](http://echarts.apache.org/option.html) carefully before asking any questions.
 
@@ -34,16 +34,16 @@
 About our release plan, we will release a mior version at the end of every month. Here is some detail.
 
 1. Assume our current stable release is 4.3.0. We will start the discussion of milestone of the release two versions ahead, which is 4.5.0 at the beginning of each month. At this time we should also kickoff the developing of the next release, which is 4.4.0.
-2. Finish 4.4.0 developing at about 22th of this month and start the testing. And the 4.5.0 milestone discussion is frozen and published on the [GitHub](https://github.com/apache/incubator-echarts/milestone/14)
+2. Finish 4.4.0 developing at about 22th of this month and start the testing. And the 4.5.0 milestone discussion is frozen and published on the [GitHub](https://github.com/apache/echarts/milestone/14)
 3. Vote in the mailing list for the 4.4.0 release at the end of this month.
 
 ## Pull Requests
 
-Wiki: [How to make a pull request](https://github.com/apache/incubator-echarts/wiki/How-to-make-a-pull-request)
+Wiki: [How to make a pull request](https://github.com/apache/echarts/wiki/How-to-make-a-pull-request)
 
 ## How to Debug ECharts
 
-Wiki: [How to setup the dev environment](https://github.com/apache/incubator-echarts/wiki/How-to-setup-the-dev-environment)
+Wiki: [How to setup the dev environment](https://github.com/apache/echarts/wiki/How-to-setup-the-dev-environment)
 
 ## Some hints about using code from other authors
 
@@ -67,6 +67,3 @@
     + https://issues.apache.org/jira/browse/LEGAL-471
 + Wikipedia:
     + Wikipedia is licensed CC 4.0 BY_SA and is incompatible with the Apache license. So we should not copy code from Wikipedia.
-+ Working in progress disclaimer:
-    + In some cases we might use the work in progress disclaimer and document the issues in that until they are fixed.
-    + https://incubator.apache.org/policy/incubation.html#disclaimers

diff --git a/README.md b/README.md
index deb7307..5618fad 100644
--- a/README.md
+++ b/README.md

@@ -8,7 +8,7 @@
 
 **[中文官网](https://echarts.apache.org/zh/index.html)** | **[ENGLISH HOMEPAGE](https://echarts.apache.org/en/index.html)**
 
-[![Build Status](https://travis-ci.org/apache/incubator-echarts.svg?branch=master)](https://travis-ci.org/apache/incubator-echarts) [![](https://img.shields.io/npm/dw/echarts.svg?label=npm%20downloads&style=flat)](https://www.npmjs.com/package/echarts) [![Last npm release](https://img.shields.io/npm/v/echarts)](https://www.npmjs.com/package/echarts)
+[![Build Status](https://travis-ci.org/apache/echarts.svg?branch=master)](https://travis-ci.org/apache/echarts) [![](https://img.shields.io/npm/dw/echarts.svg?label=npm%20downloads&style=flat)](https://www.npmjs.com/package/echarts) [![Last npm release](https://img.shields.io/npm/v/echarts)](https://www.npmjs.com/package/echarts)
 
 ## Get Apache ECharts
 
@@ -35,7 +35,7 @@
 
 ## Get Help
 
-+ [GitHub Issues](https://github.com/apache/incubator-echarts/issues) for bug report and feature requests
++ [GitHub Issues](https://github.com/apache/echarts/issues) for bug report and feature requests
 + Email [dev@echarts.apache.org](mailto:dev@echarts.apache.org) for general questions
 + Subscribe [mailing list](https://echarts.apache.org/en/maillist.html) to get updated with the project
 
@@ -66,7 +66,7 @@
 
 ## Contribution
 
-If you wish to debug locally or make pull requests, please refer to [contributing](https://github.com/apache/incubator-echarts/blob/master/CONTRIBUTING.md) document.
+If you wish to debug locally or make pull requests, please refer to [contributing](https://github.com/apache/echarts/blob/master/CONTRIBUTING.md) document.
 
 ## Resources
 
@@ -82,7 +82,7 @@
 
 + [Wordcloud 字符云](https://github.com/ecomfe/echarts-wordcloud)
 
-+ [Extension for Baidu Map 百度地图扩展](https://github.com/apache/incubator-echarts/tree/master/extension-src/bmap) An extension provides a wrapper of Baidu Map Service SDK.
++ [Extension for Baidu Map 百度地图扩展](https://github.com/apache/echarts/tree/master/extension-src/bmap) An extension provides a wrapper of Baidu Map Service SDK.
 
 + [vue-echarts](https://github.com/ecomfe/vue-echarts) ECharts component for Vue.js
 

diff --git a/package.json b/package.json
index 8566186..f06c105 100644
--- a/package.json
+++ b/package.json

@@ -20,12 +20,12 @@
   "types": "index.d.ts",
   "homepage": "http://echarts.apache.org",
   "bugs": {
-    "url": "https://github.com/apache/incubator-echarts/issues",
+    "url": "https://github.com/apache/echarts/issues",
     "email": "dev@echarts.apache.org"
   },
   "repository": {
     "type": "git",
-    "url": "git+https://github.com/apache/incubator-echarts.git"
+    "url": "git+https://github.com/apache/echarts.git"
   },
   "sideEffects": [
     "index.js",

diff --git a/src/component/tooltip/tooltipMarkup.ts b/src/component/tooltip/tooltipMarkup.ts
index b59be65..2e88c1d 100644
--- a/src/component/tooltip/tooltipMarkup.ts
+++ b/src/component/tooltip/tooltipMarkup.ts

@@ -58,9 +58,12 @@
     const valueFontWeight = textStyle.fontWeight || '900';
 
     if (renderMode === 'html') {
+        // `textStyle` is probably from user input, should be encoded to reduce security risk.
         return {
-            nameStyle: `font-size:${nameFontSize}px;color:${nameFontColor};font-weight:${nameFontWeight}`,
-            valueStyle: `font-size:${valueFontSize}px;color:${valueFontColor};font-weight:${valueFontWeight}`
+            // eslint-disable-next-line max-len
+            nameStyle: `font-size:${encodeHTML(nameFontSize + '')}px;color:${encodeHTML(nameFontColor)};font-weight:${encodeHTML(nameFontWeight + '')}`,
+            // eslint-disable-next-line max-len
+            valueStyle: `font-size:${encodeHTML(valueFontSize + '')}px;color:${encodeHTML(valueFontColor)};font-weight:${encodeHTML(valueFontWeight + '')}`
         };
     }
     else {
commit	5b4a21135edfef7b1bde264537ce42b05761a670	[log] [tgz]
author	sushuang <sushuang0322@gmail.com>	Thu Jan 21 15:33:48 2021 +0800
committer	GitHub <noreply@github.com>	Thu Jan 21 15:33:48 2021 +0800
tree	5531d204104718b791cbc489adc84fca51a011b7
parent	392d94dca211851b824d5c533a55e47d87154021 [diff]
parent	97db80ac62988ea5cd7db68962d24312eeab57b6 [diff]