YUI 3

Ticket #2532641 (closed defect)

Reporter


Tri Phan 		Opened: 08/9/12
Last modified: 08/25/12
Status: closed
Type: defect
Resolution: expired

Owner


Luke Smith 		Target Release: 3.NEXT
Priority: P4 (low)
Summary: Usage of <script> in the data displayed for data table
Description:

We have a need to embed the following type of data in the data table, <script>alert('this is a test')</script>. However, when this is done, the </script> conflicts with the <script></script> tags for
the data table and the data grid gets malformed. Here is what the data table data looks like before it is handed off for rendering. YUI3 data table was not able to render the below. Does anyone have
suggestions for solving this without having to remove the internal <script></script> tags?

<script type="text/javascript">

data = [
......
There are two possible scenarios for sending input to a web application that is vulnerable to cross-site scripting: A. The parameter value sent to the CGI script is returned in the response page,
embedded in the: Cross Site scripting issue client instance.......... <script>alert('this is a test')</script>" ,"FindingType": "Security Assessment" ,"ReportID": "" ,"status": "Unlinked" ,"Severity":
"Undefined" ,"RiskLevel": "Low" ,"FindingClass": "Other" ,"IpAddress": "" ,"ServiceName": "" ,"checkid": "5" }];

</script>

Thanks.
Tri
Type: defect Observed in Version: 3.4.1
Component: DataTable Severity: S4 (low)
Assigned To: Luke Smith Target Release: 3.NEXT
Location: Library Code Priority: P4 (low)
Tags: Datatable Relates To:
Browsers: Firefox - Latest,IE 8.x,IE 9.x
URL:
Test Information:

Change History

Jenny Donnelly

YUI Developer
Posted: 08/16/12
  • component changed from None to DataTable
  • owner changed from Jenny Donnelly to Luke Smith
  • priority changed to P3 (normal)
  • status changed from new to assigned

Luke Smith

YUI Contributor
Posted: 08/16/12
  • location changed to Library Code
  • milestone changed to 3.NEXT
  • priority changed from P3 (normal) to P4 (low)
  • severity changed from S3 (normal) to S4 (low)
  • status changed from assigned to infoneeded

Luke Smith

YUI Contributor
Posted: 08/16/12

Can you create a http://jsfiddle.net repro case? I'm not sure if the formatting of your ticket description came across. And a fiddle is good for helping you or me pinpoint where the issue in the code is.

Also, DataTable changed a lot in 3.5.0, and the current release is 3.6.0. Please confirm that the issue still exists in the latest version, since any fix would be applied on top of that. If the issue has gone away, but you are unable to upgrade for whatever reason, you might be able to find help on the forum for creating a local patch.

yuibuild
Posted: 08/25/12
  • resolution changed to expired
  • status changed from infoneeded to closed

Ticket automatically closed due to no activity.

© 2006-2013 Yahoo! Inc. All rights reserved.
All code on this site is licensed under the BSD License unless stated otherwise.
About This Site · Security Contact Info