Version: docker-image latest (as of 29.05.2020 - Docker Image mongo-express:latest@sha256:bae0a154c4d73f1e61a532148942c582fbfad22944638d4307a4710daa1398b6)
Problem
I use a MongoDB collection to save HTML-Dokuments in a string property of documents and use mongo-express to access the Mongo Database. Especially when the properties with the HTML content are not loaded directly because of their size and I click on *** LARGE PROPERTY ***~106 KBPreview:"Click to fetch this property the HTML content is loaded and rendered by the browser.
If you need further information please feel free to ask - I'll try to answer as fast as possible.
Reconstruction
If you create a Collection e.g. with mongo-express and create a document like the following. Bigger than 100kB and starting with HTML tags. Save the document and when you look in the HTML sources of the collection-view page than you will find that the HTML tags are not escaped.
I had a look at the HTML-source of the overview-page and it seems that the preview content of the big attributes ("Async on-demand loading of big document properties (>100KB default) to keep collection view fast") is not escaped:
Screenshot of mongo-express in browser:
Screenshot of the HTML source of the above page:
MartinEnders
changed the title
HTML in String fields is not escaped
HTML in String fields is not escaped if only preview is loaded
May 30, 2020
Version: docker-image latest (as of 29.05.2020 - Docker Image mongo-express:latest@sha256:bae0a154c4d73f1e61a532148942c582fbfad22944638d4307a4710daa1398b6)
Problem
I use a MongoDB collection to save HTML-Dokuments in a string property of documents and use mongo-express to access the Mongo Database. Especially when the properties with the HTML content are not loaded directly because of their size and I click on
*** LARGE PROPERTY ***~106 KBPreview:"Click to fetch this propertythe HTML content is loaded and rendered by the browser.If you need further information please feel free to ask - I'll try to answer as fast as possible.
Reconstruction
If you create a Collection e.g. with mongo-express and create a document like the following. Bigger than 100kB and starting with HTML tags. Save the document and when you look in the HTML sources of the collection-view page than you will find that the HTML tags are not escaped.
Here are some Screenshots
The Screenshots are from the complete page so they are really long but I think they demonstrate the Problem quite well.
Normal View:

Opened a first HTML content attribute by clickin on "Large Property":

Opened a second HTML content attribute

Opened multiple HTML content attirbutes:

The text was updated successfully, but these errors were encountered: