vedmack
commented
4 years ago Wow, thanks @m417z will merge it in the upcoming days
Closed m417z closed 4 years ago
vedmack
commented
4 years ago Wow, thanks @m417z will merge it in the upcoming days
m417z
commented
4 years ago Thanks. I pushed another commit which actually fixes #629, not only security-wise, even if you use a string like:
A"B'C <script>alert(1)</script>.
vedmack
commented
4 years ago Ohh noooooo! Only now I noticed that you did you PR on the stable 0.9.3 version instead of the latest beta version of 0.9.4 that is located in yadcf/src/
m417z
commented
4 years ago Heck. I created a rebased version, and found some potential bugs that I'll mention in the new PR: https://github.com/vedmack/yadcf/pull/634
Fixes https://github.com/vedmack/yadcf/issues/629, improves overall security and robustness, and readability too. I didn't test it thoroughly, but the bundled example works properly.
Note that while many places prone to XSS are now safe, there are still places which look dangerous. For example: https://github.com/m417z/yadcf/blob/cd4bf396bc7cc46aa0f7456d5ab0775ad9a94525/jquery.dataTables.yadcf.js#L1559
If the string which is part of the expression is untrusted, it must be escaped.
This pull request took more time than I expected, I'd appreciate if it gets merged. Thanks for the library.