Possible bug when sanitizing strings

Possible bug when sanitizing strings

CaptaincapslockCaptaincapslock Posts: 3Questions: 0Answers: 0
edited January 10 in Free community support

So, to prevent scripts from being executed when showing them in a data table, I usually do this:

var sanitized = $("div").text("<script>alert(1);</script>").html();

This works fine when rendering a table. However when re-rendering that table, DataTables won't initialize. See example:

$("#mytable").DataTable({
  columns: [{
    title: "Column"
  } ],
  data: [
    [`<a href="#">${$("div").text("<script>alert(1)</script>").html()}</a>`]
  ],
  destroy: true
});

$("#mytable").DataTable({
  columns: [{
    title: "Column"
  } ],
  data: [
    [`<a href="#">something else</a>`]
  ],
  destroy: true
});

No errors will show up in the chrome console. I think this is a bug! If you do not use the sanitizing, DataTables will initialize twice and show the expected result.

Replies

  • CaptaincapslockCaptaincapslock Posts: 3Questions: 0Answers: 0

    Edit: It won't initialize for the second time.

    If you remove the jQuery sanitizing stuff, it actually will re-initialize for the second time.

    For now I sanitize using

    new Option(unsafeString).innerHtml
    
Sign In or Register to comment.