Opened 10 years ago

Closed 10 years ago

Last modified 10 years ago

#9564 closed defect (duplicate)

dojox.grid.DataGrid ignores escapeHTMLInData in 1.3.2

Reported by: Thomas Gelf Owned by: Bryan Forbes
Priority: high Milestone: tbd
Component: DojoX Grid Version: 1.3.1
Keywords: Cc:
Blocked By: Blocking:

Description

Section "Options" on http://docs.dojocampus.org/dojox/grid explains that there would be "escapeHTMLInData" new in 1.3.2 - however there is no such option to be found in source code.

dojox.grid.DataGrid? now escapes HTML per default - protecting users from beginner errors, but breaking compatibility with existing code. While I'm not against doing so (is it always good to protect coders from themselves - even if such changes are not really welcome between minor releases) at least the (documented) escapeHTMLInData switch should be available.

Line 6845 in dojox/grid/DataGrid.js.uncompressed.js does this escape-alike-job as follows:

d = (d && d.replace) ? d.replace(/</g, '&lt;') : d;

While I'm not sure if this suffices to protect against all kinds of attacks it is pretty obvious that it has been forgotten to implement escapeHTMLInData.

Best regards, Thomas Gelf

NB: Bug is for 1.3.2 - as there is no such option available yet, I've chosen 1.3.1.

Change History (5)

comment:1 Changed 10 years ago by Thomas Gelf

See also Ticket #9308 (I didn't test 1.3.1)

comment:2 Changed 10 years ago by Adam Peller

Component: GeneralDojoX Grid
Owner: changed from anonymous to Bryan Forbes

dup of #9533?

comment:3 Changed 10 years ago by Thomas Gelf

dup of #9533 => yep :-)

comment:4 Changed 10 years ago by dante

Resolution: duplicate
Status: newclosed

see #9533 then :)

comment:5 Changed 10 years ago by Thomas Gelf

Added above details to #9533...

Note: See TracTickets for help on using tickets.