Bug #2839
jexcel fails on XSS
Start date:
07/17/2020
Due date:
% Done:
100%
Associated revisions
Updating jexcel to fix XSS issue
Closes #2839
History
#1
Updated by Luke Murphey over 4 years ago
Updated by Obs:
- I am using updateTable() to override the cell values.
- The cell contents are getting executed before my render even gets called.
- This line is where the issue is coming from:
// Append nodes to the HTML
for (j = 0; j < obj.options.data.length; j++) {
// Create row
var tr = obj.createRow(j, obj.options.data[j]);
// Append line to the table
if (j >= startNumber && j < finalNumber) {
obj.tbody.appendChild(tr);
}
}
Qs:
- Where is the XSS getting executed?
- Just passing the data causes this
- Does jexcel have some sort of XSS protection I ought to be enabling?
- Can I disable formulas?
- Does it work if I remove my custom renderer?
- No, my custom renderer was actually improving things somehow
- Does removing custom columns help?
- Nope
- Does 4.0 have this issue?
- Cannot get it loaded
#2
Updated by Luke Murphey over 4 years ago
Jexcel 4 doesn't load: Module name "jsuites/dist/jsuites.css" has not been loaded yet for context: _. Use require([])
Qs:- Why is the module named "jsuites/dist/jsuites.css"? I don't have it under dist
- Why is it complaining for _"
- jsuites is trying to load it:
if (! jSuites && typeof(require) === 'function') {
var jSuites = require('jsuites');
require('jsuites/dist/jsuites.css');
Solns:
- Put jexcel in a require("jexcel") call
- Nope
- Move jsuites under jexcel directory
- Remove jsuites css require call
- This fixed it
#3
Updated by Luke Murphey over 4 years ago
- Status changed from New to Closed
- Target version set to 3.4.6
- % Done changed from 0 to 100