Closed victornpb closed 5 years ago
Hi @victornpb,
We cannot whitelist every html elements, but you can whitelist just what you need, you'll find some information about how to do so here: https://getbootstrap.com/docs/3.4/javascript/#js-sanitizer
My question is, is there any intrinsic security issue with tables
that I'm not aware of? Because I also don't want to blindly whitelist something that I don't fully understand.
You'll find everything in the OWASP website see: https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#TABLE
Is there any reason why
<table>
is not whitelisted by the sanitizeHtml function?https://github.com/twbs/bootstrap-sass/blob/b34765d8a6aa775816c59012b2d6b30c4c66a8e9/assets/javascripts/bootstrap.js#L1313
This is was breaking change for us realeased as a patch.
Looking at the source code I found that I could set
saniteze: false
, but I don't see why it would be required to turn sanitization off completely just to be able to use tables. Are there any known vulnerabilities regarding tables that I'm not aware of?Minimal reproduction: https://jsfiddle.net/Victornpb/u1q7cjft/