Skip to content

Commit 888b281

Browse files
author
Nicolas Rodriguez
committed
Fix possible XSS : jbox-web#199 
1 parent 2847047 commit 888b281

File tree

2 files changed

+29
-1
lines changed

2 files changed

+29
-1
lines changed

lib/ajax-datatables-rails/base.rb

Lines changed: 11 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -38,7 +38,7 @@ def as_json(options = {})
3838
{
3939
recordsTotal: get_raw_records.count(:all),
4040
recordsFiltered: get_raw_records.model.from("(#{filter_records(get_raw_records).except(:limit, :offset, :order).to_sql}) AS foo").count,
41-
data: data
41+
data: sanitize(data)
4242
}
4343
end
4444

@@ -69,6 +69,16 @@ def connected_columns
6969

7070
private
7171

72+
def sanitize(data)
73+
data.map do |record|
74+
if record.is_a?(Array)
75+
record.map { |td| ERB::Util.html_escape(td) }
76+
else
77+
record.update(record){ |_, v| ERB::Util.html_escape(v) }
78+
end
79+
end
80+
end
81+
7282
def retrieve_records
7383
records = fetch_records
7484
records = filter_records(records)

spec/ajax-datatables-rails/base_spec.rb

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -51,6 +51,15 @@
5151
item = datatable.data.first
5252
expect(item).to be_a(Hash)
5353
end
54+
55+
it 'should html escape data' do
56+
datatable = ComplexDatatableHash.new(view)
57+
create(:user, first_name: 'Name "><img src=x onerror=alert("first_name")>', last_name: 'Name "><img src=x onerror=alert("last_name")>')
58+
data = datatable.send(:sanitize, datatable.data)
59+
item = data.first
60+
expect(item[:first_name]).to eq 'Name &quot;&gt;&lt;img src=x onerror=alert(&quot;first_name&quot;)&gt;'
61+
expect(item[:last_name]).to eq 'Name &quot;&gt;&lt;img src=x onerror=alert(&quot;last_name&quot;)&gt;'
62+
end
5463
end
5564

5665
context 'when data is defined as a array' do
@@ -62,6 +71,15 @@
6271
item = datatable.data.first
6372
expect(item).to be_a(Array)
6473
end
74+
75+
it 'should html escape data' do
76+
datatable = ComplexDatatableArray.new(view)
77+
create(:user, first_name: 'Name "><img src=x onerror=alert("first_name")>', last_name: 'Name "><img src=x onerror=alert("last_name")>')
78+
data = datatable.send(:sanitize, datatable.data)
79+
item = data.first
80+
expect(item[2]).to eq 'Name &quot;&gt;&lt;img src=x onerror=alert(&quot;first_name&quot;)&gt;'
81+
expect(item[3]).to eq 'Name &quot;&gt;&lt;img src=x onerror=alert(&quot;last_name&quot;)&gt;'
82+
end
6583
end
6684

6785
end

0 commit comments

Comments
 (0)