Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mitigate potential cross site scripting issues on SlickGrid view #465

Closed
amercader opened this issue Feb 25, 2015 · 0 comments
Closed

Mitigate potential cross site scripting issues on SlickGrid view #465

amercader opened this issue Feb 25, 2015 · 0 comments

Comments

@amercader
Copy link
Contributor

SlickGrid will use $.html to render the header cell contents.

This means that if you are loading an external dodgy CSV like the following one, scripts will be evaluated:

field1,field2<script>alert(123)</script>,field3
data1,data2,data3
data1,data2,data3

Quickest fix is to sanitize the label when initializing SlickGrid
@amercader amercader mentioned this issue Feb 25, 2015
Merged
amercader added a commit to ckan/ckan that referenced this issue Feb 25, 2015
@amercader
[#2319] Clean up field names before rendering the table
19a7952 
See datopian/datahub#465 for details

Patching local recline but a PR has been sent to the recline repo:

datopian/datahub#466
rufuspollock added a commit that referenced this issue Feb 25, 2015
@rufuspollock
Merge pull request #466 from okfn/sanitize-slickgrid-field-name
5b28edf 
Sanitize header name on SlickGrid view. Fixes #465
amercader added a commit to ckan/ckan that referenced this issue Feb 26, 2015
@amercader
[#2319] Clean up field names before rendering the table
08e43ef 
See datopian/datahub#465 for details

Patching local recline but a PR has been sent to the recline repo:

datopian/datahub#466
amercader added a commit to ckan/ckan that referenced this issue Feb 26, 2015
@amercader
[#2319] Clean up field names before rendering the table
b3cd626 
See datopian/datahub#465 for details

Patching local recline but a PR has been sent to the recline repo:

datopian/datahub#466
amercader added a commit to ckan/ckan that referenced this issue Feb 26, 2015
@amercader
[#2319] Clean up field names before rendering the table
50cb5ea 
See datopian/datahub#465 for details

Patching local recline but a PR has been sent to the recline repo:

datopian/datahub#466
amercader added a commit to ckan/ckan that referenced this issue Feb 26, 2015
@amercader
[#2319] Clean up field names before rendering the table
1f85e9d 
See datopian/datahub#465 for details

Patching local recline but a PR has been sent to the recline repo:

datopian/datahub#466
@rufuspollock rufuspollock mentioned this issue Apr 8, 2016
Merged
rufuspollock added a commit that referenced this issue Apr 9, 2016
@rufuspollock
Merge pull request #498 from smotornyuk/465-sanitize-header-name-on-s…
906af6b 
…lickgrid-view

[#465] Sanitize header name on SlickGrid view
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@amercader