This disables the display of HTML content during exports, without enabling XSS attacks

This commit is contained in:
Brady Wetherington 2022-04-07 16:27:06 +01:00
parent 4b255ada70
commit 4db7cb0e21

View file

@ -32,9 +32,16 @@
$('.snipe-table').bootstrapTable('destroy').each(function () {
data_export_options = $(this).attr('data-export-options');
export_options = data_export_options? JSON.parse(data_export_options): {};
export_options['htmlContent'] = true; //always enforce this on the given data-export-options (to prevent XSS)
export_options = data_export_options ? JSON.parse(data_export_options) : {};
export_options['htmlContent'] = false; // this is already the default; but let's be explicit about it
// the following callback method is necessary to prevent XSS vulnerabilities
// (this is taken from Bootstrap Tables's default wrapper around jQuery Table Export)
export_options['onCellHtmlData'] = function (cell, rowIndex, colIndex, htmlData) {
if (cell.is('th')) {
return cell.find('.th-inner').text()
}
return htmlData
}
$(this).bootstrapTable({
classes: 'table table-responsive table-no-bordered',
ajaxOptions: {