fix: improve chart rendering security

Author: HardeepAsrani

classes/Visualizer/D3Renderer/src/iframe.js

@@ -0,0 +1,96 @@
+/**
+ * D3.js sandboxed iframe renderer.
+ *
+ * Loaded inside an <iframe sandbox="allow-scripts"> so chart code runs in a
+ * null-origin context — it cannot access the parent page's cookies, localStorage,
+ * or DOM, which eliminates the persistent-XSS risk of executing stored D3 code
+ * in the main page context.
+ *
+ * Responds to postMessage commands from the parent:
+ *   { type: 'render',       code, series, data }
+ *   { type: 'export-image' }
+ *
+ * Sends postMessage replies to the parent:
+ *   { type: 'iframe-ready' }
+ *   { type: 'export-image-result', dataUrl }
+ */
+import * as d3 from 'd3';
+import * as topojson from 'topojson-client';
+
+/** Convert Visualizer series + data arrays to plain objects for D3. */
+function toD3Values( series, data ) {
+	if ( ! Array.isArray( series ) || ! Array.isArray( data ) ) return [];
+	return data.map( ( row ) => {
+		const obj = {};
+		series.forEach( ( col, i ) => {
+			obj[ col.label ] = row[ i ];
+		} );
+		return obj;
+	} );
+}
+
+function svgToPng( svg, callback ) {
+	const rect = svg.getBoundingClientRect();
+	const width = parseFloat( svg.getAttribute( 'width' ) ) || rect.width || 800;
+	const height = parseFloat( svg.getAttribute( 'height' ) ) || rect.height || 600;
+	const clone = svg.cloneNode( true );
+	clone.setAttribute( 'width', width );
+	clone.setAttribute( 'height', height );
+	const serializer = new XMLSerializer();
+	const svgText = serializer.serializeToString( clone );
+	const svgDataUrl = 'data:image/svg+xml;charset=utf-8,' + encodeURIComponent( svgText );
+
+	const img = new Image();
+	img.onload = () => {
+		const canvas = document.createElement( 'canvas' );
+		canvas.width = width;
+		canvas.height = height;
+		const ctx = canvas.getContext( '2d' );
+		ctx.fillStyle = '#ffffff';
+		ctx.fillRect( 0, 0, width, height );
+		ctx.drawImage( img, 0, 0 );
+		callback( canvas.toDataURL( 'image/png' ) );
+	};
+	img.onerror = () => callback( null );
+	img.src = svgDataUrl;
+}
+
+window.addEventListener( 'message', function ( event ) {
+	const msg = event.data;
+	if ( ! msg || typeof msg !== 'object' ) return;
+
+	if ( msg.type === 'render' ) {
+		const { code, series, data } = msg;
+		const container = document.getElementById( 'chart' );
+		if ( ! code || ! container ) return;
+
+		const values = toD3Values( series, data );
+		try {
+			// eslint-disable-next-line no-new-func
+			new Function( 'd3', 'topojson', 'container', 'data', code )( d3, topojson, container, values );
+		} catch ( err ) {
+			container.innerHTML =
+				'<p style="color:#c00;padding:12px">Chart render error: ' + err.message + '</p>';
+		}
+	}
+
+	if ( msg.type === 'export-image' ) {
+		const canvas = document.querySelector( 'canvas' );
+		if ( canvas && typeof canvas.toDataURL === 'function' ) {
+			event.source.postMessage(
+				{ type: 'export-image-result', dataUrl: canvas.toDataURL( 'image/png' ) },
+				'*'
+			);
+			return;
+		}
+		const svg = document.querySelector( 'svg' );
+		if ( svg ) {
+			svgToPng( svg, ( dataUrl ) => {
+				event.source.postMessage( { type: 'export-image-result', dataUrl }, '*' );
+			} );
+		}
+	}
+} );
+
+// Signal readiness to the parent so it knows when to send the render command.
+window.parent.postMessage( { type: 'iframe-ready' }, '*' );

classes/Visualizer/D3Renderer/src/index.js

@@ -2,29 +2,35 @@
  * D3.js frontend renderer for Visualizer.
  *
  * Listens to the `visualizer:render:chart:start` event fired by render-facade.js.
- * For charts with library === 'd3', retrieves the stored D3 code, converts the
- * series/data arrays to plain objects, and executes the code via new Function.
+ * For charts with library === 'd3', creates a sandboxed <iframe> and delegates
+ * chart execution to it via postMessage — eliminating the persistent-XSS risk of
+ * running stored code via new Function() in the main page context.
+ *
+ * The iframe uses srcdoc so no physical HTML file is needed.  srcdoc iframes
+ * always have a null origin regardless of sandbox, and sandbox="allow-scripts"
+ * ensures the chart code cannot access the parent page's cookies, localStorage,
+ * or DOM.
  */
-import * as d3 from 'd3';
-import * as topojson from 'topojson-client';
-
-/** Convert Visualizer series + data arrays to plain objects for D3. */
-function toD3Values( series, data ) {
-	if ( ! Array.isArray( series ) || ! Array.isArray( data ) ) return [];
-	return data.map( ( row ) => {
-		const obj = {};
-		series.forEach( ( col, i ) => {
-			obj[ col.label ] = row[ i ];
-		} );
-		return obj;
-	} );
+
+function ensurePngName( name ) {
+	if ( ! name ) return 'chart.png';
+	return name.toLowerCase().endsWith( '.png' ) ? name : `${ name }.png`;
+}
+
+function downloadDataUrl( dataUrl, name ) {
+	const link = document.createElement( 'a' );
+	link.href = dataUrl;
+	link.download = ensurePngName( name );
+	document.body.appendChild( link );
+	link.click();
+	link.remove();
 }
 
 /**
- * Render a single D3 chart into its container element.
+ * Render a single D3 chart into its container element via a sandboxed iframe.
  *
- * @param {string}  id    - DOM element ID of the container
- * @param {object}  chart - chart entry from visualizer.charts
+ * @param {string} id    - DOM element ID of the container
+ * @param {object} chart - chart entry from visualizer.charts
  */
 function renderD3Chart( id, chart ) {
 	const container = document.getElementById( id );
@@ -37,97 +43,91 @@ function renderD3Chart( id, chart ) {
 		return;
 	}
 
-	const values = toD3Values( chart.series, chart.data );
+	const iframeJsUrl =
+		window.vizD3Renderer && window.vizD3Renderer.iframeJsUrl
+			? window.vizD3Renderer.iframeJsUrl
+			: null;
+
+	if ( ! iframeJsUrl ) {
+		container.innerHTML =
+			'<p style="color:#c00;padding:12px">D3 renderer iframe URL not configured.</p>';
+		return;
+	}
 
+	// Match the iframe dimensions to the container after layout is complete.
 	function doRender() {
-		try {
-			// eslint-disable-next-line no-new-func
-			new Function( 'd3', 'topojson', 'container', 'data', code )( d3, topojson, container, values );
-		} catch ( err ) {
-			container.innerHTML = '<p style="color:#c00;padding:12px">Chart render error: ' + err.message + '</p>';
+		const width = container.offsetWidth || 800;
+		const height = container.offsetHeight || 400;
+
+		// srcdoc iframes always have a null origin — no physical file needed.
+		const srcdoc =
+			'<!DOCTYPE html><html><head><meta charset="utf-8">' +
+			'<style>*{margin:0;padding:0;box-sizing:border-box}body{overflow:hidden}' +
+			'#chart{width:100%;height:100vh}</style></head>' +
+			'<body><div id="chart"></div>' +
+			'<script src="' + iframeJsUrl + '"><\/script></body></html>';
+
+		const iframe = document.createElement( 'iframe' );
+		iframe.setAttribute( 'sandbox', 'allow-scripts' );
+		iframe.setAttribute( 'srcdoc', srcdoc );
+		iframe.setAttribute( 'data-viz-id', id );
+		iframe.style.cssText =
+			'border:0;width:' + width + 'px;height:' + height + 'px;display:block;';
+
+		// Once the iframe signals it is ready, send the render command.
+		function onReady( event ) {
+			if ( event.source !== iframe.contentWindow ) return;
+			const msg = event.data;
+			if ( ! msg || msg.type !== 'iframe-ready' ) return;
+			window.removeEventListener( 'message', onReady );
+			iframe.contentWindow.postMessage(
+				{ type: 'render', code, series: chart.series, data: chart.data },
+				'*'
+			);
 		}
+
+		window.addEventListener( 'message', onReady );
+
+		container.innerHTML = '';
+		container.appendChild( iframe );
 	}
 
 	// Double requestAnimationFrame — ensures browser has completed layout before measuring.
 	requestAnimationFrame( () => requestAnimationFrame( doRender ) );
 }
 
-function ensurePngName( name ) {
-	if ( ! name ) return 'chart.png';
-	return name.toLowerCase().endsWith( '.png' ) ? name : `${ name }.png`;
-}
-
-function downloadDataUrl( dataUrl, name ) {
-	const link = document.createElement( 'a' );
-	link.href = dataUrl;
-	link.download = ensurePngName( name );
-	document.body.appendChild( link );
-	link.click();
-	link.remove();
-}
-
-function svgToPng( svg, callback ) {
-	const rect = svg.getBoundingClientRect();
-	const width = parseFloat( svg.getAttribute( 'width' ) ) || rect.width || 800;
-	const height = parseFloat( svg.getAttribute( 'height' ) ) || rect.height || 600;
-	const clone = svg.cloneNode( true );
-	clone.setAttribute( 'width', width );
-	clone.setAttribute( 'height', height );
-	const serializer = new XMLSerializer();
-	const svgText = serializer.serializeToString( clone );
-	const svgDataUrl = 'data:image/svg+xml;charset=utf-8,' + encodeURIComponent( svgText );
-
-	const img = new Image();
-	img.onload = () => {
-		const canvas = document.createElement( 'canvas' );
-		canvas.width = width;
-		canvas.height = height;
-		const ctx = canvas.getContext( '2d' );
-		ctx.fillStyle = '#ffffff';
-		ctx.fillRect( 0, 0, width, height );
-		ctx.drawImage( img, 0, 0 );
-		callback( canvas.toDataURL( 'image/png' ) );
-	};
-	img.onerror = () => callback( null );
-	img.src = svgDataUrl;
-}
-
 function handleImageAction( id, name, action ) {
 	const container = document.getElementById( id );
 	if ( ! container ) return;
 
-	const canvas = container.querySelector( 'canvas' );
-	if ( canvas && typeof canvas.toDataURL === 'function' ) {
-		const img = canvas.toDataURL( 'image/png' );
-		if ( action === 'print' ) {
-			const win = window.open();
-			win.document.write( "<br><img src='" + img + "'/>" );
-			win.document.close();
-			win.onload = function () { win.print(); setTimeout( win.close, 500 ); };
-		} else {
-			downloadDataUrl( img, name );
-		}
-		return;
-	}
+	const iframe = container.querySelector( 'iframe[data-viz-id]' );
+	if ( ! iframe || ! iframe.contentWindow ) return;
+
+	function onResult( event ) {
+		if ( event.source !== iframe.contentWindow ) return;
+		const msg = event.data;
+		if ( ! msg || msg.type !== 'export-image-result' ) return;
+		window.removeEventListener( 'message', onResult );
 
-	const svg = container.querySelector( 'svg' );
-	if ( ! svg ) return;
+		const dataUrl = msg.dataUrl;
+		if ( ! dataUrl ) return;
 
-	svgToPng( svg, ( img ) => {
-		if ( ! img ) return;
 		if ( action === 'print' ) {
 			const win = window.open();
-			win.document.write( "<br><img src='" + img + "'/>" );
+			win.document.write( "<br><img src='" + dataUrl + "'/>" );
 			win.document.close();
 			win.onload = function () { win.print(); setTimeout( win.close, 500 ); };
 		} else {
-			downloadDataUrl( img, name );
+			downloadDataUrl( dataUrl, name );
 		}
-	} );
+	}
+
+	window.addEventListener( 'message', onResult );
+	iframe.contentWindow.postMessage( { type: 'export-image' }, '*' );
 }
 
 ( function ( $ ) {
-	$( 'body' ).on( 'visualizer:render:chart:start', function ( e, viz ) {
+	$( 'body' ).on( 'visualizer:render:chart:start', function ( _e, viz ) {
 		if ( ! viz.charts ) return;
 
 		// Frontend mode: a specific chart ID is provided.
@@ -148,7 +148,7 @@ function handleImageAction( id, name, action ) {
 		} );
 	} );
 
-	$( 'body' ).on( 'visualizer:action:specificchart', function ( event, v ) {
+	$( 'body' ).on( 'visualizer:action:specificchart', function ( _event, v ) {
 		if ( v.action !== 'image' && v.action !== 'print' ) return;
 		handleImageAction( v.id, v?.dataObj?.name, v.action );
 	} );

classes/Visualizer/D3Renderer/webpack.config.js

@@ -0,0 +1,43 @@
+const path = require( 'path' );
+const defaultConfig = require( '@wordpress/scripts/config/webpack.config' );
+
+const buildDir = path.resolve( __dirname, 'build' );
+
+/**
+ * Main bundle (index.js) — standard wp-scripts config with WP dependency
+ * extraction.  Runs in the parent page context.
+ */
+const mainConfig = {
+	...defaultConfig,
+	entry: {
+		index: path.resolve( __dirname, 'src/index.js' ),
+	},
+	output: {
+		...defaultConfig.output,
+		path: buildDir,
+	},
+};
+
+/**
+ * Iframe bundle (iframe.js) — standalone IIFE that runs inside a sandboxed
+ * iframe.  WordPress dependency extraction is disabled so that d3 and
+ * topojson are bundled inline (the iframe has no access to wp.* globals).
+ */
+const iframeConfig = {
+	...defaultConfig,
+	entry: {
+		iframe: path.resolve( __dirname, 'src/iframe.js' ),
+	},
+	output: {
+		...defaultConfig.output,
+		path: buildDir,
+	},
+	// Remove DependencyExtractionWebpackPlugin — iframe has no WP globals.
+	plugins: defaultConfig.plugins.filter(
+		( plugin ) => plugin.constructor.name !== 'DependencyExtractionWebpackPlugin'
+	),
+	// Bundle d3/topojson inline; do not treat anything as external.
+	externals: {},
+};
+
+module.exports = [ mainConfig, iframeConfig ];

classes/Visualizer/Gutenberg/Block.php

@@ -138,6 +138,13 @@ public function enqueue_gutenberg_scripts() {
 		}
 		if ( wp_script_is( 'visualizer-d3-renderer', 'registered' ) ) {
 			wp_enqueue_script( 'visualizer-d3-renderer' );
+			wp_localize_script(
+				'visualizer-d3-renderer',
+				'vizD3Renderer',
+				array(
+					'iframeJsUrl' => VISUALIZER_ABSURL . 'classes/Visualizer/D3Renderer/build/iframe.js',
+				)
+			);
 		}
 
 		// Enqueue frontend and editor block styles