DRCIT/snipe-it
1
0
Fork 0
mirror of https://github.com/snipe/snipe-it.git synced 2025-01-11 22:07:29 -08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

This disables the display of HTML content during exports, without enabling XSS attacks

Browse source
This commit is contained in:
Brady Wetherington 2022-04-07 16:27:06 +01:00
parent 4b255ada70
commit 4db7cb0e21
1 changed files with 10 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
resources/views/partials/bootstrap-table.blade.php
View file

@ -32,9 +32,16 @@
$('.snipe-table').bootstrapTable('destroy').each(function () { $('.snipe-table').bootstrapTable('destroy').each(function () {
data_export_options = $(this).attr('data-export-options'); data_export_options = $(this).attr('data-export-options');
export_options = data_export_options? JSON.parse(data_export_options): {}; export_options = data_export_options ? JSON.parse(data_export_options) : {};
export_options['htmlContent'] = true; //always enforce this on the given data-export-options (to prevent XSS) export_options['htmlContent'] = false; // this is already the default; but let's be explicit about it
// the following callback method is necessary to prevent XSS vulnerabilities
// (this is taken from Bootstrap Tables's default wrapper around jQuery Table Export)
export_options['onCellHtmlData'] = function (cell, rowIndex, colIndex, htmlData) {
if (cell.is('th')) {
return cell.find('.th-inner').text()
}
return htmlData
}
$(this).bootstrapTable({ $(this).bootstrapTable({
classes: 'table table-responsive table-no-bordered', classes: 'table table-responsive table-no-bordered',
ajaxOptions: { ajaxOptions: {