fix(charts): block unsafe urls in chart click-to-navigate handlers by mainframev · Pull Request #35857 · microsoft/fluentui

mainframev · 2026-03-10T16:35:50Z

This is a low-priority, defense-in-depth fix, the same fix can be applied at the app level by sanitizing inputs before passing them to chart components

Previous Behavior

No URL sanitization — href props passed directly to window.location.href, allowing javascript: and other dangerous URI schemes to execute.

New Behavior

All chart navigation validates URLs through a shared isSafeUrl utility. Only http:/https: and relative URLs are allowed

…ndlers

github-actions · 2026-03-10T16:45:23Z

📊 Bundle size report

Package & Exports	Baseline (minified/GZIP)	PR	Change
`react-charting` DeclarativeChart	`676.93 kB` `191.249 kB`	`677.039 kB` `191.279 kB`	`109 B` `30 B`
`react-charting` DonutChart	`203.423 kB` `63.604 kB`	`203.503 kB` `63.649 kB`	`80 B` `45 B`
`react-charting` GanttChart	`282.793 kB` `88.76 kB`	`282.797 kB` `88.761 kB`	`4 B` `1 B`
`react-charting` GroupedVerticalBarChart	`294.467 kB` `91.739 kB`	`294.547 kB` `91.782 kB`	`80 B` `43 B`
`react-charting` HorizontalBarChartWithAxis	`293.933 kB` `91.166 kB`	`293.937 kB` `91.167 kB`	`4 B` `1 B`
`react-charting` Legends	`151.481 kB` `46.399 kB`	`151.485 kB` `46.4 kB`	`4 B` `1 B`
`react-charting` LineChart	`332.434 kB` `101.789 kB`	`332.438 kB` `101.79 kB`	`4 B` `1 B`
`react-charting` MultiStackedBarChart	`181.657 kB` `55.217 kB`	`181.737 kB` `55.262 kB`	`80 B` `45 B`
`react-charting` PolarChart	`235.149 kB` `74.293 kB`	`235.153 kB` `74.294 kB`	`4 B` `1 B`
`react-charting` ScatterChart	`289 kB` `91.071 kB`	`289.004 kB` `91.071 kB`	`4 B`
`react-charting` StackedBarChart	`175.338 kB` `52.813 kB`	`175.418 kB` `52.858 kB`	`80 B` `45 B`
`react-charting` VerticalBarChart	`303.585 kB` `93.172 kB`	`303.589 kB` `93.173 kB`	`4 B` `1 B`
`react-charting` VerticalStackedBarChart	`300.497 kB` `92.735 kB`	`300.577 kB` `92.782 kB`	`80 B` `47 B`
`react-charts` AreaChart	`412.28 kB` `126.425 kB`	`412.286 kB` `126.424 kB`	`6 B` `-1 B`
`react-charts` DeclarativeChart	`762.928 kB` `220.39 kB`	`762.995 kB` `220.432 kB`	`67 B` `42 B`
`react-charts` GanttChart	`395.399 kB` `119.927 kB`	`395.405 kB` `119.926 kB`	`6 B` `-1 B`
`react-charts` GroupedVerticalBarChart	`403.269 kB` `122.494 kB`	`403.275 kB` `122.494 kB`	`6 B`
`react-charts` HeatMapChart	`397.47 kB` `121.788 kB`	`397.476 kB` `121.79 kB`	`6 B` `2 B`
`react-charts` LineChart	`423.621 kB` `128.472 kB`	`423.627 kB` `128.473 kB`	`6 B` `1 B`
`react-charts` ScatterChart	`402.996 kB` `122.603 kB`	`403.002 kB` `122.603 kB`	`6 B`
`react-charts` VerticalBarChart	`439.74 kB` `128.215 kB`	`439.746 kB` `128.216 kB`	`6 B` `1 B`
`react-charts` VerticalStackedBarChart	`409.183 kB` `123.955 kB`	`409.256 kB` `124 kB`	`73 B` `45 B`

Unchanged fixtures

Package & Exports	Size (minified/GZIP)
`react-charting` AreaChart	`302.827 kB` `94.751 kB`
`react-charting` ChartHoverCard	`37.196 kB` `12.7 kB`
`react-charting` GaugeChart	`197.055 kB` `61.221 kB`
`react-charting` HeatMapChart	`285.643 kB` `89.439 kB`
`react-charting` HorizontalBarChart	`127.266 kB` `39.944 kB`
`react-charting` PieChart	`134.305 kB` `42.299 kB`
`react-charting` SankeyChart	`158.002 kB` `49.166 kB`
`react-charting` Sparkline	`87.616 kB` `29.671 kB`
`react-charting` TreeChart	`84.809 kB` `26.636 kB`
`react-charts` DonutChart	`322.715 kB` `96.946 kB`
`react-charts` FunnelChart	`314.268 kB` `93.991 kB`
`react-charts` GaugeChart	`322.146 kB` `96.373 kB`
`react-charts` HorizontalBarChart	`302.442 kB` `89.116 kB`
`react-charts` HorizontalBarChartWithAxis	`63 B` `83 B`
`react-charts` Legends	`242.388 kB` `71.585 kB`
`react-charts` PolarChart	`351.333 kB` `107.364 kB`
`react-charts` SankeyChart	`220.381 kB` `67.866 kB`
`react-charts` Sparkline	`91.393 kB` `28.708 kB`

_{🤖 This report was generated against 80f357995c67265a761717b3ea4bd4ca300dc220}

github-actions · 2026-03-10T16:48:18Z

Pull request demo site: URL

…gate handlers

mainframev added 2 commits March 10, 2026 17:28

fix(charts): block unsafe URL protocols in chart click-to-navigate ha…

b2a76e8

…ndlers

chore: update change files

a1eea3c

mainframev self-assigned this Mar 10, 2026

mainframev requested a review from a team as a code owner March 10, 2026 16:35

fixup! fix(charts): block unsafe URL protocols in chart click-to-navi…

2dfccc5

…gate handlers

AtishayMsft approved these changes Mar 10, 2026

View reviewed changes

mainframev merged commit b10b744 into microsoft:master Mar 10, 2026
11 of 13 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(charts): block unsafe urls in chart click-to-navigate handlers#35857

fix(charts): block unsafe urls in chart click-to-navigate handlers#35857
mainframev merged 3 commits intomicrosoft:masterfrom
mainframev:fix/charts-sec-in-depth-href

mainframev commented Mar 10, 2026 •

edited

Loading

Uh oh!

github-actions bot commented Mar 10, 2026 •

edited

Loading

Uh oh!

github-actions bot commented Mar 10, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

mainframev commented Mar 10, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Previous Behavior

New Behavior

Uh oh!

github-actions bot commented Mar 10, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

📊 Bundle size report

Uh oh!

github-actions bot commented Mar 10, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

mainframev commented Mar 10, 2026 •

edited

Loading

github-actions bot commented Mar 10, 2026 •

edited

Loading