search

edwindj / daff

Diff, patch and merge for data.frames, see http://paulfitz.github.io/daff/
https://edwindj.github.io/daff/
Other
153 stars 18 forks source link

HTML rendering does not escape passed data #25

Closed dset0x closed 6 years ago

dset0x commented 6 years ago

Hello and thanks for this awesome project.

I have been using daff like so:

var data1 = ...;
var data2 = ...;

// Wrap into tables
var data1_table = new daff.TableView(data1);
var data2_table = new daff.TableView(data2);

// Calculate alignment
var alignment = daff.compareTables(data1_table, data2_table).align();

// Produce diff
var data_diff = [];
var table_diff = new daff.TableView(data_diff);

// Set diff options
var flags = new daff.CompareFlags();
    flags.always_show_header = false;
    flags.ordered = false;
    flags.show_unchanged_columns = true;
    flags.unchanged_column_context = 0;
    flags.unchanged_context = 0;
var highlighter = new daff.TableDiff(alignment,flags);
highlighter.hilite(table_diff);

if (table_diff.data.length === 0) {
    return;
}

// Get HTML
var diff2html = new daff.DiffRender();
diff2html.render(table_diff);
var table_diff_html = diff2html.html();

table_diff_html contains unescaped data. For example if data2 has a field that contains <foo>, that part of the field is never displayed to the user.

Could it be that I'm not calling something properly? Perhaps it is here that escaping ought to be done?

jeroen commented 6 years ago

This is the repository for the daff wrapper for the R language. I think you're interested in the daff.js repo?

dset0x commented 6 years ago

Too many tabs, too many tabs. Thank you.