Security Issue: Site hacked but only page with datatable with filter & search
Security Issue: Site hacked but only page with datatable with filter & search
I experienced the same thing as this post: https://datatables.net/forums/discussion/11093/security-issue-site-hacked-but-only-on-page-using-datatables
I am using datatable 1.10.20 (bootstrap and nightly). The case is more or less the same, it only happens on pages that contain datatables, with filters and search, but not all filter data will be defaced, it only happens on certain data, for example, year = 10 or status = 1.
the url is not redirected, only the display is defaced.
This question has an accepted answers - jump to answer
Answers
Can you PM me a link to the page in question so I can see how your DataTable is configured please? Any other details you can give me such as the backend stack details would be useful as well.
Thanks,
Allan
yes, please chek your inbox
Hi,
I've replied to your PM - thank you for the link. For anyone else that finds this, some of the data being displayed by the DataTable contains an XSS attack string.
If you are displaying untrusted data in a DataTable (i.e. from an end user input) you must use the
text()
renderer to protect against XSS as described here.Allan
thank you, allan. the problem has been solved.
Our site has been hacked, indicating a critical security breach. Urgent measures are underway to identify and resolve the issue. Apologies for any inconvenience, and we appreciate your patience.
@lexiluna53 - Are you suggesting that it is a DataTables issue? If you can PM me more details if so, then I can look into it.
Allan