Opened 11 years ago

Closed 10 years ago

#9308 closed defect (invalid)

Grid Escapes HTML, Preventing Functional Links

Reported by: anthonywatson Owned by: Bryan Forbes
Priority: high Milestone: tbd
Component: DojoX Grid Version: 1.3.1
Keywords: Grid Cc:
Blocked By: Blocking:

Description

The grid in Dojo release 1.3.1 escapes HTML in cell text. As a result, images and links no longer work. This problem is a show-stopper for me. I am moving back to 1.3.0 now.

The link below demonstrates how release 1.3.1 broke HTML in grid cell text:

http://download.dojotoolkit.org/release-1.3.1/dojo-release-1.3.1/dojox/grid/tests/test_yahoo_images.html

While this page with 1.3.0 works great:

http://download.dojotoolkit.org/release-1.3.0/dojo-release-1.3.0/dojox/grid/tests/test_yahoo_images.html

Change History (3)

comment:1 Changed 11 years ago by bill

Component: GeneralDojoX Grid
Owner: changed from anonymous to Bryan Forbes

comment:2 Changed 10 years ago by Thomas Gelf

Duplicate of #9533

comment:3 in reply to:  2 Changed 10 years ago by Karl Tiedt

Resolution: invalid
Status: newclosed

Replying to Thomas Gelf:

Duplicate of #9533

This is not a duplicate of the above bug... they are both related to the same feature, but not identical...

However this isnt exactly a bug, it works as intended, the Dojo team agreed that for security purposes this change should happen sooner than later even if it broke API as long as original functionality could be kept in an easy to use manner (you can turn off the security feature or bypass it easily).

From: http://docs.dojocampus.org/dojox/grid

This will escape HTML brackets from the data to prevent HTML from user-inputted data being rendered with may contain JavaScript?? and result in XSS attacks. This is true by default, and it is recommended that it remain true. Setting this to false will allow data to be displayed in the grid without filtering, and should be only used if it is known that the data won't contain malicious scripts. If HTML is needed in grid cells, it is recommended that you use the formatter function to generate the HTML (the output of formatter functions is not filtered, even with escapeHTMLInData set to true).

Note: See TracTickets for help on using tickets.