Escape results before output

Pegase745 / sqlalchemy-datatables

SQLAlchemy integration of jQuery DataTables >= 1.10.x (Pyramid and Flask examples)

MIT License

159 stars 67 forks source link

Escape results before output #136

Open vsevolod-kolchinsky opened 3 years ago

vsevolod-kolchinsky commented 3 years ago

Ability to escape data before output, to prevent JS/HTML injections.

kartikeyas00 commented 3 years ago

@vsevolod-kolchinsky Could you please provide an example?

tdamsma commented 3 years ago

@vsevolod-kolchinsky Sorry for missing this PR. Can you provide an example of the injection? As far as I am aware all results shuld be returned as json adn thus not susceptible. Please let me know if I am wrong abut this

vsevolod-kolchinsky commented 3 years ago

The simplest case would be the following: given some database table with rows containing raw HTML with Javascript, which you don't want to be executed when Datatable renders.

from datatables import DataTables
from flask import escape

[...]

        table = DataTables(params, query, columns, escape=escape)