Pivot Table XSS injection

Question

The Pivot table has XSS injection vulnerabilities in two places:

1) row groups

2) tool tip

See attached project sample, and screenshots below.

Screen Shot 2021-12-15 at 8.52.10 PM.png

Screen Shot 2021-12-15 at 8.52.55 PM.png

Attachment: SyncFusion_19.3_Pivot_Pivot_Sanitize_Html_98cea81f.zip

Manikandan Murugesan · Answer

Hi Bill, 
 
In the pivot table, we have currently sanitized only the cell template elements. However, you can use the "sanitize" method in the "load" event to sanitize the values in the data source. Please see the code sample below. 
Code Example: 





import { SanitizeHtmlHelper } from "@syncfusion/ej2-base"; 
     
load(args) { 
      var data = []; 
      for (var i = 0; i < args.dataSourceSettings.dataSource.length; i++) { 
        var keys = Object.keys(args.dataSourceSettings.dataSource[i]); 
        var currentData = {}; 
        for (var j = 0; j < keys.length; j++) { 
          currentData[keys[j]] = SanitizeHtmlHelper.sanitize( 
            args.dataSourceSettings.dataSource[i][keys[j]] 
          ); 
        } 
        data.push(currentData); 
      } 
      args.dataSourceSettings.dataSource = data; 
    },  
 
Meanwhile, we have modified your sample for your reference. Please find it from below link. 
Sample: https://www.syncfusion.com/downloads/support/directtrac/general/ze/SyncFusion_19.3_Pivot_Sanitize_Html1448383963 
 
Please let us know if you have any concerns. 
 
Regards, 
Manikandan