DataTables
Advanced interaction
features for your tables.
Editor
Comprehensive editing
library for DataTables.
Manual
Download
Show site navigation

print extension has a XSS vulnerability.

print extension has a XSS vulnerability.

jsnjsn Posts: 6Questions: 2Answers: 0
edited January 2016 in Free community support

I'm adding rows with HTML like so: datatable.row.add('HTML ROW HERE') and when I hit the print button, if the value of a column is something like: alert('hi'), it executes.

Replies

  • allanallan Posts: 64,102Questions: 1Answers: 10,571 Site admin

    DataTables will render the HTML directly so this is to some degree expected. If you want to protect against this you would need to use a renderer as discussed in the security manual.

    I plan to offer an option in future versions of DataTables whereby the output will be text rather than HTML, but I know a lot of people rely on outputting HTML, hence way the rendering options are available.

    Allan

  • jsnjsn Posts: 6Questions: 2Answers: 0
    edited January 2016

    Thanks for your response,

    I'm using a templating engine to render the html initially, so the values are properly escape. My problem only occurs when I hit the "print" button

  • allanallan Posts: 64,102Questions: 1Answers: 10,571 Site admin

    If you've bypassed the DataTables rendering function you would probably need to do some kind of rendering for the print button as well. Its difficult to say without a test case showing the issue what the actual fix would be though.

    Allan

This discussion has been closed.

DataTables

DataTables designed and created by SpryMedia Ltd.
© 2007-2023 MIT licensed. Privacy policy. Supporters.
SpryMedia Ltd is registered in Scotland, company no. SC456502.