back

Beware where you are POSTing!

Recently I had the pleasure to work with Highcharts, a Javascript library for creating dynamic diagrams. Recommended! The client also wanted the ability to download the data that is used in the diagrams as a CSV file. A quick browse in the documentation learned that Highcharts supports this scenario. There are multiple ways to do this but the one I’ve seen the most involves POSTing your diagram data to a page that resides within the Highcharts domain. See: That csv.php page only adds the headers to create a download: This means that if you use this construction all your diagram data will be passed to a page that is within the control of Highcharts. Remember, I’m not claiming that Highcharts will do anything malicious with your data! On the contrary, Highcharts even advises in their documentation that you should create your own page if you don’t want to expose your data. Not to mention that they explicitly tell you that the page could disappear at any moment. However, a quick search on Github learned that a number of projects are still using the Highcharts csv.php page meaning that all their data will be posted to another party (over HTTP as well). So kids, whenever you start to POST data to a third party, ask yourself if you don’t mind that the data being posted is now potentially public. And create your own page to handle that download. In ASP.NET MVC it is as simple as creating the following controller method:

GDPR Consent

The ICT Group website uses cookies for various functions in the website; Functional Cookies, Website Statistics, Personalised Advertising and Social Media. Advertising and Social Media cookies collect information about activities of individual users. This allows third parties to display personalised adverts to you and to allow you the option to share content from this site to Social Media platforms.

By continuing to use this website you are allowing us to place these cookies. The Cookie Settings voor de ICT Group website can be changed or revoked at any time. You can reach the settings through the Cookie Settings button as well as through the link in the footer of every page on this site.

Read our privacy policy here | Close this bar
Cookie Settings