visjs
Regression in 7.4.4: Unable to define CSS styles for data or groups
Example:
<!DOCTYPE HTML>
<html>
<head>
<script src="https://cdnjs.cloudflare.com/ajax/libs/vis-timeline/7.4.3/vis-timeline-graph2d.min.js"></script>
<link href="https://cdnjs.cloudflare.com/ajax/libs/vis-timeline/7.4.3/vis-timeline-graph2d.min.css" rel="stylesheet" type="text/css" />
</head>
<body>
<div id="visualization"></div>
<script type="text/javascript">
var container = document.getElementById('visualization');
var items = [
{id: 1, content: '<h1>data</h1><span style="color:red">red</span>', start: '2013-04-19'}
]
var timeline = new vis.Timeline(container, items, {});
</script>
</body>
</html>
In 7.4.3, the above results in
But after 7.4.4, any styles (whether using the <style> tag or whether inline) get stripped, both from items and from groups.
I I understand that there is a style parameter, however that doesn't always do the job. The problem is that the style parameter applies a style to the entire cell, but I want to define CSS rules. In my example, I want to create an HTML table inside an item, and I want to apply certain styles to the table, not to the entire item.
I also understand this is likely because of the XSS security feature that was implemented in 7.4.4, but I'm wondering if this is an intendd consequence (is style a XSS vulnerability?)
Similarly:
Can you confirm whether including local images was considered a XSS vulnerability? I had a timeline with code similar to
content: 'data <img src="path/to/local/image.png" />'
Which worked in 7.4.3 but not in 7.4.4.