Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Tweak to datatables column rendering #1948

Merged
merged 1 commit into from Oct 28, 2021
Merged

Tweak to datatables column rendering #1948

merged 1 commit into from Oct 28, 2021

Conversation

PromoFaux
Copy link
Member

By submitting this pull request, I confirm the following:

  • I have read and understood the contributors guide, as well as this entire template.
  • I have made only one major change in my proposed changes.
  • I have commented my proposed changes within the code.
  • I have tested my proposed changes, and have included unit tests where possible.
  • I am willing to help maintain this change if there are issues with it later.
  • I give this submission freely and claim no ownership.
  • It is compatible with the EUPL 1.2 license
  • I have squashed any insignificant commits. (git rebase)

What does this PR aim to accomplish?:

Extends protections put in place to prevent arbitrary code values in columns from being evaluated/executed by forcing datatables to render them as text.

Blanket applied to all datatables declarations to use as the render method for all columns (unless otherwise specified) rather than the usages of the render.text() function being peppered about as it is currently.

@PromoFaux PromoFaux requested a review from a team October 27, 2021 18:25
@PromoFaux
Force all columns in any declared datatable to render using datatable…
0e483a8 
…s render.text function to prevent possible (very low risk, requiring authenticated dashboard anyway) XSS.

Signed-off-by: Adam Warner <me@adamwarner.co.uk>
@PromoFaux PromoFaux requested a review from a team October 28, 2021 11:00
@PromoFaux PromoFaux added the PR: Approval Required Open Pull Request, needs approval label Oct 28, 2021
@yubiuser yubiuser merged commit 5aeb52e into devel Oct 28, 2021
@yubiuser yubiuser deleted the tweak/datatables branch October 28, 2021 18:21
@yubiuser yubiuser mentioned this pull request Nov 21, 2021
Merged
9 tasks
@DL6ER DL6ER mentioned this pull request Dec 22, 2021
Merged
@pralor-bot
Copy link

This pull request has been mentioned on Pi-hole Userspace. There might be relevant details there:

https://discourse.pi-hole.net/t/pi-hole-ftl-v5-12-web-v5-9-and-core-v5-7-released/51795/1

This was referenced Dec 22, 2021
Merged
Merged
Closed
Merged
Merged
This was referenced Jan 3, 2022
Merged
Closed
@renovate renovate bot mentioned this pull request Mar 5, 2022
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DL6ER DL6ER DL6ER left review comments

@yubiuser yubiuser yubiuser approved these changes

Assignees
No one assigned
Labels
PR: Approval Required Open Pull Request, needs approval
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@PromoFaux @pralor-bot @DL6ER @yubiuser