Cross-site scripting (XSS) vulnerability CVE-2024-37063

### Current Behaviour

https://github.com/advisories/GHSA-2r57-2mrh-ggjv

A cross-site scripting (XSS) vulnerability in versions 3.7.0 or newer of Ydata's ydata-profiling open-source library allows for payloads to be run when a maliocusly crafted report is viewed in the browser.
References

    https://nvd.nist.gov/vuln/detail/CVE-2024-37063
    https://hiddenlayer.com/sai-security-advisory/ydata-june2024


### Expected Behaviour

Secured

### Data Description

N/A

### Code that reproduces the bug

_No response_

### pandas-profiling version

>= 3.7.0, <= 4.8.3

### Dependencies

```Text
N/A
```


### OS

All OSes

### Checklist

- [X] There is not yet another bug report for this issue in the [issue tracker](https://github.com/ydataai/pandas-profiling/issues)
- [X] The problem is reproducible from this bug report. [This guide](http://matthewrocklin.com/blog/work/2018/02/28/minimal-bug-reports) can help to craft a minimal bug report.
- [X] The issue has not been resolved by the entries listed under [Common Issues](https://pandas-profiling.ydata.ai/docs/master/pages/support_contrib/common_issues.html).

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Cross-site scripting (XSS) vulnerability CVE-2024-37063 #1599

Current Behaviour

Expected Behaviour

Data Description

Code that reproduces the bug

pandas-profiling version

Dependencies

OS

Checklist

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Cross-site scripting (XSS) vulnerability CVE-2024-37063 #1599

Description

Current Behaviour

Expected Behaviour

Data Description

Code that reproduces the bug

pandas-profiling version

Dependencies

OS

Checklist

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions