New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HTML injection vulnerability #913
Comments
+1 |
Per Mozilla's documentation, |
ok so i've changed from:
to
is that all i need to do?? i'm afraid it will have an impact against some older browsers - and advice on that? |
I am not sure of the context of the code, so it may already be done. Don't know what about valueGetter... |
it's only done when no cellRenderer is used. |
@AmitMY |
valueGetter isn't used for rendering - the value is then either passed to cellRenderer or rendered by grid (which, as above, uses textContext now) |
This is now back as a regression from the new rendering engine. @ceolter |
I fixed this in my project by setting a default cellRenderer for my grid :
|
I was very surprised to discover that ag-Grid does nothing to escape field values by default.
With a column definition like:
{headerName: "Name", field: "name"}
a user can enter a name such as<span onclick="alert('hacked!')">John Smith</span>
and effectively initiate a cross-site scripting attack.The only time field values should not be escaped is if there is a a custom
cellRenderer
for the column.Related: #9 (comment)
The text was updated successfully, but these errors were encountered: