I have been working recently with DataTables and server sided processing. Some of the test data I was using was not sanitized ie:
<script>alert('xss');</script>
and discovered DataTables directly injects data into the innerHTML of an element. I did not want to waste time processing the data on the client side so I simply reworked the creation of cells. For example
// Need to create the HTML if new, or if a rendering function is defined
if ( !nTrIn || oCol.mRender || oCol.mData !== i )
{
//nTd.innerHTML = _fnGetCellData( oSettings, iRow, i, 'display' );
nTd.appendChild(document.createTextNode(_fnGetCellData(oSettings, iRow, i, 'display')));
}
Or this example in sorting:
if ( /*was just sTitle*//*document.createTextNode(column.sTitle).innerHTML*/column.sTitle != cell.text() ) {
//cell.html( column.sTitle );
while (cell[0].lastChild) {
cell[0].removeChild(cell[0].lastChild);
}
cell[0].appendChild(document.createTextNode(column.sTitle));
}
Note the replacement is just appending a text node. Some additional code was required to ensure the nodes are empty but it seems to be a relatively simple (and beneficial?) fix.
How can we go about implementing these changes? Is it something that would be possible to do for a nightly build that might work as an initialization option?