Opened 10 years ago

Closed 10 years ago

#10129 closed defect (fixed)

Grid not properly escaping ampersands

Reported by: Nathan Toone Owned by: Nathan Toone
Priority: high Milestone: 1.4
Component: DojoX Grid Version: 1.4.0b
Keywords: Cc:
Blocked By: Blocking:

Description

The grid properly prevents HTML injection by replacing "<" with "&lt;" - however, it does not properly replace "&" with "&amp;" - meaning data value of "&lt;&gt;" will show up in the grid as "<>" (incorrectly, when escaping is turned on).

Not a blocker, as this is not a regression, nor a security risk...however, it is easy to fix, and should be fixed.

Change History (1)

comment:1 Changed 10 years ago by Nathan Toone

Resolution: fixed
Status: newclosed

(In [20594]) Fixes #10129 - make sure that we replace ampersands (before we replace the less than) when writing out the value !strict

Note: See TracTickets for help on using tickets.