search

Power-Components / livewire-powergrid

⚡ PowerGrid generates modern, powerful and easy-to-customize data tables using Laravel Livewire.
https://livewire-powergrid.com
MIT License
1.42k stars 209 forks source link

[Feature] Unescape column titles to allow custom html to be shown #1396

Closed akulmehta closed 5 months ago

akulmehta commented 5 months ago

⚡ PowerGrid - Pull Request

Welcome and thank you for your interest in contributing to our project!. You must use this template to submit a Pull Request or it will not be accepted.

Motivation

Description

This Pull Request unescapes the column title field to allow html to be input in that. This is particularly useful if you do not want the column title to have a string but rather have an icon. Since the column title is expected to be coded in by the developer, I do not think this would be a security issue (i.e. XSS vulnerability)

For example: If only text is allowed (i.e. currently escapes the title) you would need to label a column for "Visibility" making the size of the column broad like: image

However, with the above PR, you could replace the column title with some html (e.g. fontawesome icon) like: image

Moreover, you could even put icons before your text like: image

Not sure if this would require an update in the documentation - but happy to provide a PR there if needed.

Related Issue(s): #_____.

Documentation

This PR requires Documentation update?

dansysanalyst commented 5 months ago

I've got to ask:

Column titles are set by the developer and are not exposed to the end user - right?

Do we all agree that it is very unlikely, very low risk, that a developer will inject any malicious code on a column title?

I think the doc should mention that it is unescaped, and it allows passing HTML but requires some attention by the dev side.

akulmehta commented 5 months ago

@dansysanalyst I cannot imagine a case where a column would not be set by a developer. A dynamic column based on user input would likely not be useful. So then the question of a developer will inject any malicious code on a column title - well if the developer is malicious they would probably be able to do more harm to the codebase beyond this.

I suppose a warning similar to that in the https://livewire-powergrid.com/table/add-columns.html#closure-examples would be sufficient - but not sure if even that is necessary. As mentioned I am happy to PR that in the docs if needed.

In fact, I had PR'ed this into an earlier version as well and it was merged https://github.com/Power-Components/livewire-powergrid/pull/517

luanfreitasdev commented 5 months ago

Hello @akulmehta, can you provide documentation about the e() in Columns?

Thank you

akulmehta commented 5 months ago

@luanfreitasdev docs added