Merge pull request #283 from devpaul/grid-cleanup

Cleans up a grid issue making editing rows more secure
dojo · Jul 12, 2018 · 63346ee · 63346ee · LbISS · Jun 23, 2020
2 parents 72db30b + e92ee87
commit 63346ee
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 13 deletions.
diff --git a/grid/_Builder.js b/grid/_Builder.js
@@ -260,28 +260,31 @@ define([
 
 		// time critical: generate html using cache and data source
 		generateHtml: function(inDataIndex, inRowIndex){
-			var
-				html = this.getTableArray(),
-				v = this.view, dir,
-				cells = v.structure.cells,
-				item = this.grid.getItem(inRowIndex);
+			var html = this.getTableArray();
+			var v = this.view;
+			var cells = v.structure.cells;
+			var item = this.grid.getItem(inRowIndex);
+			var dir;
 
 			util.fire(this.view, "onBeforeRow", [inRowIndex, cells]);
-			for(var j=0, row; (row=cells[j]); j++){
+			for(var j=0, row; (row = cells[j]); j++){
 				if(row.hidden || row.header){
 					continue;
 				}
 				html.push(!row.invisible ? '<tr>' : '<tr class="dojoxGridInvisible">');
 				for(var i=0, cell, m, cc, cs; (cell=row[i]); i++){
-					m = cell.markup; cc = cell.customClasses = []; cs = cell.customStyles = [];
+					m = cell.markup;
+					cc = cell.customClasses = [];
+					cs = cell.customStyles = [];
+
 					// content (format can fill in cc and cs as side-effects)
 					m[5] = cell.format(inRowIndex, item);
 					// classes
 					m[1] = cc.join(' ');
 					// styles
 					m[3] = cs.join(';');
 					dir = cell.textDir || this.grid.textDir;
-					if(dir){
+					if (dir) {
 					    m[3] += this._getTextDirStyle(dir, cell, inRowIndex);
 					}
 					// in-place concat

diff --git a/grid/cells/_base.js b/grid/cells/_base.js
@@ -102,11 +102,14 @@ define([
 			//		grid row index
 			// returns:
 			//		html for a given grid cell
-			var f, i=this.grid.edit.info, d=this.get ? this.get(inRowIndex, inItem) : (this.value || this.defaultValue);
-			d = (d && d.replace && this.grid.escapeHTMLInData) ? d.replace(/&/g, '&amp;').replace(/</g, '&lt;') : d;
-			if(this.editable && (this.alwaysEditing || (i.rowIndex==inRowIndex && i.cell==this))){
+			var i = this.grid.edit.info;
+			var d = this.get ? this.get(inRowIndex, inItem) : (this.value || this.defaultValue);
+			if (d && d.replace && this.grid.escapeHTMLInData) {
+				d = d.replace(/&/g, '&amp;').replace(/</g, '&lt;');
+			}
+			if (this.editable && (this.alwaysEditing || (i.rowIndex==inRowIndex && i.cell==this))){
 				return this.formatEditing(i.value ? i.value : d, inRowIndex);
-			}else{
+			} else {
 				return this._defaultFormat(d, [d, inRowIndex, this]);
 			}
 		},
@@ -329,6 +332,10 @@ define([
 		keyFilter: null,
 		formatEditing: function(inDatum, inRowIndex){
 			this.needFormatNode(inDatum, inRowIndex);
+			if (inDatum && inDatum.replace) {
+				// escape quotes to avoid XSS
+				inDatum = inDatum.replace(/"/g, '&quot;')
+			}
 			return '<input class="dojoxGridInput" type="text" value="' + inDatum + '">';
 		},
 		formatNode: function(inNode, inDatum, inRowIndex){
@@ -478,4 +485,4 @@ define([
 
 	return BaseCell;
 
-});
+});