-
Notifications
You must be signed in to change notification settings - Fork 228
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
XSS posibility #199
Comments
This is what I am experiencing as well, it is opposite the rails convention of escaping by default in views. |
well, for every datatable you create, you have to define and handle each field by yourself. lib does not do that. |
I fixed mine with a monkey-patch: class AjaxDatatablesRails::Base
def as_json(options = {})
{
:draw => params[:draw].to_i,
:recordsTotal => get_raw_records.count(:all),
:recordsFiltered => filter_records(get_raw_records).count(:all),
:data => sanitize(data)
}
end
private
def sanitize(data)
data.map do |record|
record.map do |td|
ERB::Util.html_escape(td)
end
end
end
end |
Fixed : 888b281 |
How can I make sure that one of the columns data does not get escaped. |
Mark the column as |
Hi @n-rodriguez, this fix is breaking a use case I had, where i was setting the attribute 'DT_RowAttr' in the record with a Hash to style my datatable rows. Now is escaping the hash so the styling doesn't work. |
When returning the data trough the json it should be html escaped.
During a security audit we found that a string with:
Will show an alert image. We solved it now by escaping the result but it should be done my the library?
Our quick fix is:
The text was updated successfully, but these errors were encountered: