At present you can execute queries like:
Which will get displayed like:
Doesn’t this open up all sorts of XSS attacks etc? That doesn’t seem to be the right thing for default behaviour.
I was thinking that:
- The default ‘Text’ type in the table viz should start to HTML escape cell data.
- A new ‘HTML’ type be introduced so that the old behaviour can be explicitly selected (perhaps with a big warning!).
What do people think? Should ‘Text’ also convert ‘\n’ to
'<br/>' ? Or should there instead be a “Pre-formatted text” option that drops everything in
'<pre>' tags? Do other viz need attention?