HTML-escaping table data?

At present you can execute queries like:

select "test\n<b>test</b>";

Which will get displayed like:

testtest

Doesn’t this open up all sorts of XSS attacks etc? That doesn’t seem to be the right thing for default behaviour.

I was thinking that:

  • The default ‘Text’ type in the table viz should start to HTML escape cell data.
  • A new ‘HTML’ type be introduced so that the old behaviour can be explicitly selected (perhaps with a big warning!).

What do people think? Should ‘Text’ also convert ‘\n’ to '<br/>' ? Or should there instead be a “Pre-formatted text” option that drops everything in '<pre>' tags? Do other viz need attention?

It’s sanitized to avoid such things.

The Text column type has a toggle for allowing HTML content (“Allow HTML content”):

image

It’s enabled by default for backward compatibility. If not that, it would’ve been disabled by default.

1 Like