Not editable fields are not XSS attack secure

[Asia321]

I noticed in renderSingleField function(vendor/sg/datatablesbundle/Sg/DatatablesBundle/Datatable/Column/Column.php ) that if column is not editable then data is not rendered by Twig so the content is not escaped and allow XSS attack

[stwe]

You have to explain more. The function renderSingleField calls renderTemplate for generating content. And renderTemplate calls $this->twig->render

[Asia321]

Hi, thanks for your reply, it is rendered by twig only when $this->isEditableContentRequired($row) is true, but in my case I have field like this( $this->isEditableContentRequired($row) returns false):

 public function buildDatatable(array $options = array())
    {
            $this->columnBuilder
            ->add(
                'userDetails.firstName',
                Column::class,
                array(
                    'title' => $this->translator->trans('field.first_name')
                )
            )
          //more fields here
}

which can be edited in another action and it is not escaped from js/html tags.

[sonnguyenthai]

I got the same problem when using dev-master version. I use this bundle to list my objects (for example: Article ), in this datatable I show Article title. If I add an Article with title like <script>alert('hey you!');</script>, then return to the datatable I will see the alert. That's the problem.

[sonnguyenthai]

Not only column data, but also other outputs are unprotected when rendering a datatable. I tried above trick with username which is showed in the same view as datatable successfully.

[sspat]

Still vulnerable, had to fork to fix this issue

[Seb33300]

Related to #845