-
Notifications
You must be signed in to change notification settings - Fork 81
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DataGrid: Custom Formatter breaks on special characters #975
Comments
We had been trying to strip inline JS functions for security reasons. For example onclick ect... Is this really necessary to include onxxx functions, as i would be worried about removing that stripping? Could you do it with JS instead? Thanks |
Well the strings that are causing problems are user-defined. So it's not so much that we want them there, it's just that them being there are causing rendering problems. So basically if User1 inserts a weird string that will be included in a data grid, then User2 will not be able to properly view the grid. |
So it would be ok to make this:
Into this?
I actually thought it was Otherwise i guess we could make a less secure option to not strip these for a formatter/column? Otherwise Might be tricky? |
I think the issue is that template that should be part of the datagrid is instead inserted in the title attribute in this case. So the fact that xss stuff is stripped is not really an issue as far as I know. The issue is that certain characters/words seem to break the xss stripping. I haven't looked at the code that removes the js functions, but it looks like maybe the escaped |
OK i can look at that at the function and see, if thats the case it alleviates some concerns i have. Are you really using a custom formatter to do this? If so a workaround might be to use the xss clean functions in the formatter to append the title to the html in a separate action to code around it, rather than a string with it all. |
Yeah a custom formatter may not be ideal. But I'm not aware other ways of achieving a UI like this without it? This is the formatter, for more context: private doTheFormatting(item): string {
const title = HtmlUtil.escapeStringForHtml(item.tooltip);
const text = HtmlUtil.escapeStringForHtml(item.cellText);
const template =
`
<div class="lm-truncate-text">
<svg class="icon datagrid-alert-icon ${item.iconClass}"
focusable="false" aria-hidden="true" role="presentation">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="#icon-${item.icon}"/>
</svg>
<p style="display:inline; margin-left: 5px;"
title='${title}'>
${text}
</p>
</div>
`;
return template;
} ...where |
This has been QA tested and passed on v4.53.0-dev. https://main-enterprise.demo.design.infor.com/components/datagrid/test-custom-formatter-special-char.html Moving this ticket to Done. Thanks! |
Describe the bug
A custom formatter breaks when it returns certain characters. We're not sure what's actually causing the issue, but it has to with inserting (escaped) HTML like
' onsomething=....
. Example:To Reproduce
Steps to reproduce the behavior:
' abc=y
Expected behavior
The tooltip (standard title attribute) should only display exactly what has been declared, regardless of whether it is escaped HTML or not.
Version
Screenshots
If applicable, add screenshots to help explain your problem.
datagrid-format.mp4
Platform
Additional context
Homepages issue: https://jira.infor.com/browse/LIME-6636
The text was updated successfully, but these errors were encountered: