zachleat
commented
5 years ago Why does using .html() fix this over using .text()?
Closed sfeigl closed 2 years ago
zachleat
commented
5 years ago Why does using .html() fix this over using .text()?
sfeigl
commented
5 years ago The exploit is triggered in line 70 of the file
return "<label><input type='checkbox' checked>" + text + "</label>";
Let's say the Column header text is (in HTML)
<script>alert("Oops!");</script>
.text() returns
<script>alert("Oops!");</script>
which is inserted in the column toggle checkbox label. The JS code is executed.
.html() returns the original HTML which does not do any harm, as it is still escaped. It appears in the column toggle exactly as in the column header (including formatting) and the script is not executed.
An alternative solution would be to still use .text() but HTML-escape this text again. in line 70. Formatting would then be lost.
The column toggle element gets the label as text an writes the label as HTML.
When using as column label (in HTML escaped form), the code gets executed by the column toggle component.
As the column label might be user generated content, this could lead to XSS attacks.
If youi need an example, I could create one.