vega is vulnerable to Cross-site Scripting (XSS) attacks. The library does not properly enforce types for its arguments in the lassoAppend
function, which allows an attacker to specify any object with a push
function. The push
function then can be set to any function that has the access to event.view
.