Affected versions of the package are vulnerable to HTML Injection.
ag-grid used mozilla's
Element.innerHTML, which is vulnerable to Cross-site Scripting (XSS) attacks when used within a user-inputted value. In this case an attacker could insert a malicious username and initiate a XSS attack, like:
<span onclick="alert('hacked!')">John Smith</span>
ag-grid to version 5.0.0 or higher.
- Theodore Brown
- Snyk ID
- 18 May, 2016
- 16 Mar, 2017