stwe
Not editable fields are not XSS attack secure
I noticed in renderSingleField function(vendor/sg/datatablesbundle/Sg/DatatablesBundle/Datatable/Column/Column.php ) that if column is not editable then data is not rendered by Twig so the content is not escaped and allow XSS attack
You have to explain more. The function renderSingleField calls renderTemplate for generating content. And renderTemplate calls $this->twig->render
Hi, thanks for your reply, it is rendered by twig only when $this->isEditableContentRequired($row) is true, but in my case I have field like this( $this->isEditableContentRequired($row) returns false):
public function buildDatatable(array $options = array())
{
$this->columnBuilder
->add(
'userDetails.firstName',
Column::class,
array(
'title' => $this->translator->trans('field.first_name')
)
)
//more fields here
}
which can be edited in another action and it is not escaped from js/html tags.
I got the same problem when using dev-master version. I use this bundle to list my objects (for example: Article ), in this datatable I show Article title. If I add an Article with title like <script>alert('hey you!');</script>, then return to the datatable I will see the alert. That's the problem.
Not only column data, but also other outputs are unprotected when rendering a datatable. I tried above trick with username which is showed in the same view as datatable successfully.
