From 0990dce8edf0afa7af7d5e352daf98b571ed3d48 Mon Sep 17 00:00:00 2001
From: amercader <amercadero@gmail.com>
Date: Wed, 25 Feb 2015 13:26:03 +0000
Subject: [PATCH] Sanitize header name on SlickGrid view. Fixes #465

SlickGrid will use `$.html`[1] to render the header cell contents.

This means that if you are loading an external dodgy CSV like the
following one, scripts will be evaluated:

```
field1,field2<script>alert(123)</script>,field3
data1,data2,data3
data1,data2,data3
```
This fix sanitizes the label when initializing SlickGrid removing all
that isn't text.

[1] https://github.com/mleibman/SlickGrid/blob/e6e2f88f832742c44e0fabf1f3864e5176386033/slick.grid.js#L563
---
 src/view.slickgrid.js | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/view.slickgrid.js b/src/view.slickgrid.js
index 829586c7..0b35ab32 100644
--- a/src/view.slickgrid.js
+++ b/src/view.slickgrid.js
@@ -160,10 +160,15 @@ my.SlickGrid = Backbone.View.extend({
       })
     }
 
+    function sanitizeFieldName(name) {
+      var sanitized = $(name).text();
+      return (name !== sanitized && sanitized !== '') ? sanitized : name;
+    }
+
     _.each(this.model.fields.toJSON(),function(field){
       var column = {
         id: field.id,
-        name: field.label,
+        name: sanitizeFieldName(field.label),
         field: field.id,
         sortable: true,
         minWidth: 80,