XSS posibility

[johan-smits]

When returning the data trough the json it should be html escaped.
During a security audit we found that a string with:

Name "><img src=x onerror=alert("XSS")>

Will show an alert image. We solved it now by escaping the result but it should be done my the library?

Our quick fix is:

def data
    begin
      records.map do |record|
        [
            html_escape(record.name),
...

[dillonhafer]

This is what I am experiencing as well, it is opposite the rails convention of escaping by default in views.

[ajahongir]

We solved it now by escaping the result but it should be done my the library?

well, for every datatable you create, you have to define and handle each field by yourself. lib does not do that.
you have to override data method for every your datatable.

[dillonhafer]

I fixed mine with a monkey-patch:

class AjaxDatatablesRails::Base
  def as_json(options = {})
    {
      :draw => params[:draw].to_i,
      :recordsTotal =>  get_raw_records.count(:all),
      :recordsFiltered => filter_records(get_raw_records).count(:all),
      :data => sanitize(data)
    }
  end

  private

  def sanitize(data)
    data.map do |record|
      record.map do |td|
        ERB::Util.html_escape(td)
      end
    end
  end
end

[n-rodriguez]

Fixed : 888b281
Thank you!

[ikaul]

How can I make sure that one of the columns data does not get escaped.
I wanted to add a row1
row2
row3
.
If I add the data as a array, it show the [].

[dillonhafer]

Mark the column as #html_safe

[zenzei]

Hi @n-rodriguez, this fix is breaking a use case I had, where i was setting the attribute 'DT_RowAttr' in the record with a Hash to style my datatable rows. Now is escaping the hash so the styling doesn't work.
I think at least the sanitize method should not be private so we know that maybe we will need to override it.