Force all columns in any declared datatable to render using datatables render.text function to prevent possible (very low risk, requiring authenticated dashboard anyway) XSS.

Signed-off-by: Adam Warner <me@adamwarner.co.uk>
2025-12-24 12:48:29 +00:00 · 2021-10-27 19:21:49 +01:00
parent ae17a48bf7
commit 0e483a8eea
11 changed files with 78 additions and 10 deletions
--- a/scripts/pi-hole/js/messages.js
+++ b/scripts/pi-hole/js/messages.js
@@ -114,6 +114,12 @@ $(function () {
      { data: "blob5", visible: false },
      { data: null, width: "80px", orderable: false },
    ],
+    columnDefs: [
+      {
+        targets: "_all",
+        render: $.fn.dataTable.render.text(),
+      },
+    ],
    drawCallback: function () {
      $('button[id^="deleteMessage_"]').on("click", deleteMessage);
      // Remove visible dropdown to prevent orphaning