sqlalchemy-datatables icon indicating copy to clipboard operation
sqlalchemy-datatables copied to clipboard

Published 20 hours ago verified publisher icon Pegase745

Escape results before output

Open vsevolod-kolchinsky opened this issue 3 years ago • 3 comments

Ability to escape data before output, to prevent JS/HTML injections.

vsevolod-kolchinsky avatar Jan 19 '21 20:01 vsevolod-kolchinsky

@vsevolod-kolchinsky Could you please provide an example?

kartikeyas00 avatar Apr 06 '21 19:04 kartikeyas00

@vsevolod-kolchinsky Sorry for missing this PR. Can you provide an example of the injection? As far as I am aware all results shuld be returned as json adn thus not susceptible. Please let me know if I am wrong abut this

tdamsma avatar Apr 07 '21 14:04 tdamsma

The simplest case would be the following: given some database table with rows containing raw HTML with Javascript, which you don't want to be executed when Datatable renders.

from datatables import DataTables
from flask import escape

[...]

        table = DataTables(params, query, columns, escape=escape)

vsevolod-kolchinsky avatar Apr 07 '21 15:04 vsevolod-kolchinsky