Hi
When using dataFormat function and not converting the value to react component
output is not sanitised. Therefore you can easily run XSS through it.
If you return a invalid react element, it will use dangerouslySetInnerHTML. Your fix could be to use the following dataFormat: dataFormat={v => (<span>{v}</span>)}
Hi
When using dataFormat function and not converting the value to react component
output is not sanitised. Therefore you can easily run XSS through it.
Example: https://codesandbox.io/s/q7oj2v6xo9?fontsize=14
The text was updated successfully, but these errors were encountered: