Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Add Security Warning for HTML Encoding

See original GitHub issue

By default the table option escape is set to false, which means any data by a potential attacker will end up unencoded in the DOM, which might make the table susceptible to Cross-Site Scripting attacks and others.

In my opinion the default should be set to true, even though this is a breaking change, in order to mitigate the potential vulnerability. At the very least, a security warning should be added in order to inform people of the potential security risk, if the behavior should not be changed.

The same applies to formatters, even though the issue is even more complicated here, as data passed to a formatter doesn’t have to be a string, which could be easily encoded depending on escape, instead it could be an object or an array. I would appreciate to have a security warning here as well, in order to inform people, that any user input put into the HTML string will end up unencoded in the table and could lead to a Cross-Site Scripting vulnerability.

This has been discussed in various issues before, but I feel like this would add some additional awareness.

Issue Analytics

  • State:open
  • Created 3 years ago
  • Reactions:1
  • Comments:10 (2 by maintainers)

github_iconTop GitHub Comments

2reactions
wenzhixincommented, Jul 5, 2020

Maybe we can add a file, for example, bootstrap-table-security.js:

window.jQuery.extend(window.jQuery.fn.bootstrapTable.defaults, {
  escape: true
})

window.jQuery.extend(window.jQuery.fn.bootstrapTable.columnDefaults, {
  escape: true
})

What do you think?

1reaction
UtechtDustincommented, Jul 6, 2020

I also dont like the idea with a new file. This should be part of the bootstrap table, either as option or as default value (which makes more sense i guess).

Read more comments on GitHub >

github_iconTop Results From Across the Web

Cross Site Scripting Prevention - OWASP Cheat Sheet Series
You may want to do this to change a hyperlink, hide an element, add alt-text for an image, or change inline CSS styles....
Read more >
Will HTML Encoding prevent all kinds of XSS attacks?
No. Putting aside the subject of allowing some tags (not really the point of the question), HtmlEncode simply does NOT cover all XSS...
Read more >
Add option to enable safe HTML encoding for error messages
Elide should provide an option to allow users to automatically encode error responses to be safe for display in HTML.
Read more >
HTML encoding | DotVVM Documentation
HTML encoding. When you need to display any content to the users, in most cases it should be HTML-encoded to prevent cross-site scripting...
Read more >
Content-Security-Policy - HTTP - MDN Web Docs
The HTTP Content-Security-Policy response header allows web site administrators to control resources the user agent is allowed to load for a ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Loading data thru function (including server-side pagination/sort/filter)

Next page

data-height and data-filter-control not working together