XSS vulnerability in string cells and long value previews

[danzvara]

Both string cells and long value previews inject stringWithLinks via dangerouslySetInnerHTML. However stringWithLinks is created by passing raw input through anchorme, which doesn't sanitize HTML as per https://github.com/alexcorvi/anchorme.js/issues/54 .

Repro: https://flatgithub.com/danzvara/csv-xss?filename=kokos.csv&sha=9caf159937ecb7a87bd896da2e70e4e86ef3da1e

I would suggest sandboxing the string outputs in an iframe (or perhaps choosing a sanitization library to make stringWithLinks safe).

[Wattenberger]

fixed in 36738e9514302e0b69182efde2ec524ba26a4dd5, thanks for flagging that!