Skip to content

Escape results before output#136

Open
vsevolod-kolchinsky wants to merge 1 commit intoPegase745:masterfrom
vsevolod-kolchinsky:dev/data_escaping
Open

Escape results before output#136
vsevolod-kolchinsky wants to merge 1 commit intoPegase745:masterfrom
vsevolod-kolchinsky:dev/data_escaping

Conversation

@vsevolod-kolchinsky
Copy link

@vsevolod-kolchinsky vsevolod-kolchinsky commented Jan 19, 2021
edited
Loading

Ability to escape data before output, to prevent JS/HTML injections.

@kartikeyas00
Copy link

kartikeyas00 commented Apr 6, 2021

@vsevolod-kolchinsky Could you please provide an example?

@tdamsma
Copy link
Collaborator

tdamsma commented Apr 7, 2021

@vsevolod-kolchinsky Sorry for missing this PR. Can you provide an example of the injection? As far as I am aware all results shuld be returned as json adn thus not susceptible. Please let me know if I am wrong abut this

@vsevolod-kolchinsky
Copy link
Author

vsevolod-kolchinsky commented Apr 7, 2021

The simplest case would be the following: given some database table with rows containing raw HTML with Javascript, which you don't want to be executed when Datatable renders.

from datatables import DataTables
from flask import escape

[...]

        table = DataTables(params, query, columns, escape=escape)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@vsevolod-kolchinsky @kartikeyas00 @tdamsma