Injection vulnerability with hidden columns

david-a

The following test case shows how script injection is possible with columns that are not visible.

Test case: http://live.datatables.net/yuworise/3/edit

(the injection is exhibited for me when clicking Run with JS button in the test case, but occurs on page load in my app)

I escape all visible values in their render functions, but did not do so for hidden columns (with visible: false property) as was not expecting them to reach the DOM. I've worked around this by adding a no-op render function for any hidden columns, but am thinking it might catch people unawares.

allan

Hi,

You are absolutely correct. What is happening is that DataTables will actually create the nodes for the hidden columns which is what you are seeing. If you have any potential unescaped data to be displayed in the table then you must use a rendering function (such as the $.fn.dataTable.render.text() built in one) to make it safe.

This is really a legacy thing - the plan is to do automatic escaping with DataTables v2 (when that happens). But flipping it in v1 would cause all sorts of backwards compatibility issues.

Thanks for bringing it up - it is really important that anyone developing with DataTables is aware of this (not just the specific hidden column aspect, but in general).

Allan

david-a

Thanks Allan.

It's a one line global fix on my side, so not a problem!

I'll keep an eye out for v2.