Opened 12 years ago
Closed 12 years ago
#9308 closed defect (invalid)
Grid Escapes HTML, Preventing Functional Links
Reported by: | anthonywatson | Owned by: | Bryan Forbes |
---|---|---|---|
Priority: | high | Milestone: | tbd |
Component: | DojoX Grid | Version: | 1.3.1 |
Keywords: | Grid | Cc: | |
Blocked By: | Blocking: |
Description
The grid in Dojo release 1.3.1 escapes HTML in cell text. As a result, images and links no longer work. This problem is a show-stopper for me. I am moving back to 1.3.0 now.
The link below demonstrates how release 1.3.1 broke HTML in grid cell text:
While this page with 1.3.0 works great:
Change History (3)
comment:1 Changed 12 years ago by
Component: | General → DojoX Grid |
---|---|
Owner: | changed from anonymous to Bryan Forbes |
comment:2 follow-up: 3 Changed 12 years ago by
comment:3 Changed 12 years ago by
Resolution: | → invalid |
---|---|
Status: | new → closed |
Replying to Thomas Gelf:
Duplicate of #9533
This is not a duplicate of the above bug... they are both related to the same feature, but not identical...
However this isnt exactly a bug, it works as intended, the Dojo team agreed that for security purposes this change should happen sooner than later even if it broke API as long as original functionality could be kept in an easy to use manner (you can turn off the security feature or bypass it easily).
From: http://docs.dojocampus.org/dojox/grid
This will escape HTML brackets from the data to prevent HTML from user-inputted data being rendered with may contain JavaScript?? and result in XSS attacks. This is true by default, and it is recommended that it remain true. Setting this to false will allow data to be displayed in the grid without filtering, and should be only used if it is known that the data won't contain malicious scripts. If HTML is needed in grid cells, it is recommended that you use the formatter function to generate the HTML (the output of formatter functions is not filtered, even with escapeHTMLInData set to true).
Duplicate of #9533