From 4db7cb0e21301fdb267c97165a1348de655f2946 Mon Sep 17 00:00:00 2001 From: Brady Wetherington Date: Thu, 7 Apr 2022 16:27:06 +0100 Subject: [PATCH] This disables the display of HTML content during exports, without enabling XSS attacks --- resources/views/partials/bootstrap-table.blade.php | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/resources/views/partials/bootstrap-table.blade.php b/resources/views/partials/bootstrap-table.blade.php index ceb1fa045c..b991febd89 100644 --- a/resources/views/partials/bootstrap-table.blade.php +++ b/resources/views/partials/bootstrap-table.blade.php @@ -32,9 +32,16 @@ $('.snipe-table').bootstrapTable('destroy').each(function () { data_export_options = $(this).attr('data-export-options'); - export_options = data_export_options? JSON.parse(data_export_options): {}; - export_options['htmlContent'] = true; //always enforce this on the given data-export-options (to prevent XSS) - + export_options = data_export_options ? JSON.parse(data_export_options) : {}; + export_options['htmlContent'] = false; // this is already the default; but let's be explicit about it + // the following callback method is necessary to prevent XSS vulnerabilities + // (this is taken from Bootstrap Tables's default wrapper around jQuery Table Export) + export_options['onCellHtmlData'] = function (cell, rowIndex, colIndex, htmlData) { + if (cell.is('th')) { + return cell.find('.th-inner').text() + } + return htmlData + } $(this).bootstrapTable({ classes: 'table table-responsive table-no-bordered', ajaxOptions: {