knight/datahub
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Sanitize header name on SlickGrid view. Fixes #465

Browse Source 
SlickGrid will use `$.html`[1] to render the header cell contents.

This means that if you are loading an external dodgy CSV like the
following one, scripts will be evaluated:

```
field1,field2<script>alert(123)</script>,field3
data1,data2,data3
data1,data2,data3
```
This fix sanitizes the label when initializing SlickGrid removing all
that isn't text.

[1] e6e2f88f83/slick.grid.js (L563)
This commit is contained in:
amercader
2015-02-25 13:26:03 +00:00
parent 8bdd837d26
commit 0990dce8ed
1 changed files with 6 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
src/view.slickgrid.js
View File

@@ -160,10 +160,15 @@ my.SlickGrid = Backbone.View.extend({
}) })
} }
function sanitizeFieldName(name) {
var sanitized = $(name).text();
return (name !== sanitized && sanitized !== '') ? sanitized : name;
}
_.each(this.model.fields.toJSON(),function(field){ _.each(this.model.fields.toJSON(),function(field){
var column = { var column = {
id: field.id, id: field.id,
name: field.label, name: sanitizeFieldName(field.label),
field: field.id, field: field.id,
sortable: true, sortable: true,
minWidth: 80, minWidth: 80,