@@ -195,7 +195,17 @@ export class TimelineRenderer extends Component {
195195 // Delete an item by tapping the delete button top right
196196 this . options . editable . remove = true ;
197197 }
198- this . options . xss = { disabled : true } ;
198+ // Configure XSS filtering options to mitigate potential security risks.
199+ // Disabling XSS filtering can lead to vulnerabilities, as highlighted in:
200+ // - CVE-2020-28487 (https://www.cve.org/CVERecord?id=CVE-2020-28487)
201+ // - https://github.com/visjs/vis-timeline/pull/840
202+ // The solution is to define a whitelist of allowed HTML elements and attributes.
203+ // TODO: Check if this can be removed when this PR is merged: https://github.com/visjs/vis-timeline/pull/1860
204+ this . options . xss = {
205+ filterOptions : {
206+ whiteList : this . getXSSWhiteList ( ) ,
207+ } ,
208+ } ;
199209 this . timeline = new vis . Timeline ( this . canvasRef . el , { } , this . options ) ;
200210 this . timeline . on ( "click" , this . on_timeline_click . bind ( this ) ) ;
201211 if ( ! this . options . onUpdate ) {
@@ -210,6 +220,23 @@ export class TimelineRenderer extends Component {
210220 this . load_initial_data ( ) ;
211221 } ) ;
212222 }
223+ /**
224+ * Returns the XSS whitelist for the timeline library.
225+ * This is used to filter out potentially harmful HTML elements and attributes.
226+ * The white list allows only specific elements and attributes to be rendered.
227+ * This is important for security reasons, as it helps prevent XSS attacks.
228+ * @returns {Object } The XSS white list.
229+ * Key: element name; value: array of allowed attributes.
230+ */
231+ getXSSWhiteList ( ) {
232+ // Add more elements to the whitelist as needed.
233+ return {
234+ div : [ "class" , "style" ] ,
235+ span : [ "class" , "name" ] ,
236+ small : [ "class" , "name" ] ,
237+ img : [ "src" , "width" , "height" , "alt" , "loading" , "class" ] ,
238+ } ;
239+ }
213240
214241 /**
215242 * Clears and draws the canvas items.
0 commit comments