Both string cells and long value previews inject stringWithLinks via dangerouslySetInnerHTML. However stringWithLinks is created by passing raw input through anchorme, which doesn't sanitize HTML as per https://github.com/alexcorvi/anchorme.js/issues/54 .
Both string cells and long value previews inject
stringWithLinks
viadangerouslySetInnerHTML
. HoweverstringWithLinks
is created by passing raw input throughanchorme
, which doesn't sanitize HTML as per https://github.com/alexcorvi/anchorme.js/issues/54 .Repro: https://flatgithub.com/danzvara/csv-xss?filename=kokos.csv&sha=9caf159937ecb7a87bd896da2e70e4e86ef3da1e
I would suggest sandboxing the string outputs in an iframe (or perhaps choosing a sanitization library to make
stringWithLinks
safe).