#9564 closed defect (duplicate)
dojox.grid.DataGrid ignores escapeHTMLInData in 1.3.2
| Reported by: | Thomas Gelf | Owned by: | Bryan Forbes |
|---|---|---|---|
| Priority: | high | Milestone: | tbd |
| Component: | DojoX Grid | Version: | 1.3.1 |
| Keywords: | Cc: | ||
| Blocked By: | Blocking: |
Description
Section "Options" on http://docs.dojocampus.org/dojox/grid explains that there would be "escapeHTMLInData" new in 1.3.2 - however there is no such option to be found in source code.
dojox.grid.DataGrid? now escapes HTML per default - protecting users from beginner errors, but breaking compatibility with existing code. While I'm not against doing so (is it always good to protect coders from themselves - even if such changes are not really welcome between minor releases) at least the (documented) escapeHTMLInData switch should be available.
Line 6845 in dojox/grid/DataGrid.js.uncompressed.js does this escape-alike-job as follows:
d = (d && d.replace) ? d.replace(/</g, '<') : d;
While I'm not sure if this suffices to protect against all kinds of attacks it is pretty obvious that it has been forgotten to implement escapeHTMLInData.
Best regards, Thomas Gelf
NB: Bug is for 1.3.2 - as there is no such option available yet, I've chosen 1.3.1.
Change History (5)
comment:1 Changed 10 years ago by
comment:2 Changed 10 years ago by
| Component: | General → DojoX Grid |
|---|---|
| Owner: | changed from anonymous to Bryan Forbes |
dup of #9533?
See also Ticket #9308 (I didn't test 1.3.1)