Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: do not bind content as innerHTML by default #126

Merged
merged 1 commit into from
Nov 21, 2024
Merged

fix: do not bind content as innerHTML by default #126

merged 1 commit into from
Nov 21, 2024

Conversation

spike-rabbit
Copy link
Collaborator

BREAKING CHANGE:
Previously, cell values were bound using innerHTML. With this change they are now bound using normal data binding. This means that any html markup will no longer be rendered. To restore the previous behavior set bindAsUnsafeHtml on columns where needed.

We decided to change this behavior,
as binding innerHTML can lead to HTML injection. Especially in table content which are often untrusted user generated content.

BREAKING CHANGE:
Header cell names are now bound using data binding instead of innerHTML.
Use a headerTemplate to provide custom html markup.

What kind of change does this PR introduce? (check one with "x")

  • Bugfix
  • Feature
  • Code style update (formatting, local variables)
  • Refactoring (no functional changes, no api changes)
  • Build related changes
  • CI related changes
  • Other... Please describe:

What is the current behavior? (You can also link to an open issue here)

What is the new behavior?

Does this PR introduce a breaking change? (check one with "x")

  • Yes
  • No

If this PR contains a breaking change, please describe the impact and migration path for existing applications: ...

Other information:

@spike-rabbit
fix: do not bind content as innerHTML by default
dcb0c0e 
BREAKING CHANGE:
Previously, cell values were bound using `innerHTML`.
With this change they are now bound using normal data binding.
This means that any html markup will no longer be rendered.
To restore the previous behavior set `bindAsUnsafeHtml`
on columns where needed.

We decided to change this behavior,
as binding `innerHTML` can lead to HTML injection.
Especially in table content which are often untrusted
user generated content.

BREAKING CHANGE:
Header cell names are now bound using data binding
instead of `innerHTML`.
Use a `headerTemplate` to provide custom html markup.
@spike-rabbit spike-rabbit requested a review from fh1ch November 20, 2024 13:38
@spike-rabbit spike-rabbit self-assigned this Nov 20, 2024
timowolf
timowolf approved these changes Nov 20, 2024
View reviewed changes
Copy link
Member

@timowolf timowolf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense to me. Many thanks.

@fh1ch fh1ch added the bug Something isn't working label Nov 21, 2024
fh1ch
fh1ch approved these changes Nov 21, 2024
View reviewed changes
Copy link
Member

@fh1ch fh1ch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@spike-rabbit outstanding work with the MR here, thanks a ton 🙇

The changes look flawless and my local verification tests were all successful. Also nice work with the inline documentation. So let's get this one in.

LGTM 👍

@fh1ch fh1ch merged commit e818477 into master Nov 21, 2024
1 check passed
@fh1ch fh1ch deleted the fix/do-not-bind-as-innerHTML-by-default branch November 21, 2024 08:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@timowolf timowolf timowolf approved these changes

@fh1ch fh1ch fh1ch approved these changes

Assignees

@spike-rabbit spike-rabbit

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@spike-rabbit @fh1ch @timowolf