documentationfor yFiles for HTML 2.6
Known Issues of the yFiles LibraryKnown Issues of Third-party Toolkits

Known Vulnerabilities

The only known vulnerability is a code injection opportunity when both, a StringTemplate style is used and loading of GraphML files from insecure locations is possible in the application.

Using only one of these features possesses no risk.

Starting with yFiles for HTML 2.3, StringTemplate style filters out active code by default. If actually needed, this filter can be turned off by enabling the respective style’s trusted property. Prior to yFiles for HTML 2.3, such code is always executed.

The StringTemplate styles, namely StringTemplateNodeStyle, StringTemplateLabelStyle, StringTemplatePortStyle, and StringTemplateStripeStyle, can load SVG templates from GraphML and execute code that is included in such templates. Like the yFiles for HTML library, this code will run in the context of the user’s web application and thus has access to any data that is currently available in that application. This is the intended behavior that makes even advanced use cases possible but can also be exploited by attackers if they can modify the used GraphML files.

Since yFiles for HTML has no third-party dependencies, there are no vulnerabilities inherited from dependencies.

Known Issues of the yFiles LibraryKnown Issues of Third-party Toolkits