Escape html for table cell

Signed-off-by: Yukai Huang <yukaihuangtw@gmail.com>
2025-01-11 23:14:24 +00:00 · 2020-07-09 14:42:48 +08:00 · 2020-07-09 14:42:48 +08:00 · 1adf1221c6
commit 1adf1221c6
parent b29d2c0a31
1 changed files with 4 additions and 3 deletions
--- a/public/js/lib/renderer/csvpreview.js
+++ b/public/js/lib/renderer/csvpreview.js
@ -1,4 +1,5 @@
 import Papa from 'papaparse'
 import escapeHTML from 'lodash/escape'
 const safeParse = d => {
  try {
@ -22,12 +23,12 @@ export function renderCSVPreview (csv, options = {}, attr = '') {
    return `<table ${attr}>
      <thead>
        <tr>
-          ${fields.map(f => `<th>${f}</th>`).join('')}
+          ${fields.map(f => `<th>${escapeHTML(f)}</th>`).join('')}
        </tr>
      </thead>
      <tbody>
        ${results.data.map(d => `<tr>
-          ${fields.map(f => `<td>${d[f]}</td>`).join('')}
+          ${fields.map(f => `<td>${escapeHTML(d[f])}</td>`).join('')}
        </tr>`).join('')}
      </tbody>
    </table>`
@ -35,7 +36,7 @@ export function renderCSVPreview (csv, options = {}, attr = '') {
    return `<table ${attr}>
      <tbody>
        ${results.data.map(d => `<tr>
-          ${d.map(f => `<td>${f}</td>`).join('')}
+          ${d.map(f => `<td>${escapeHTML(f)}</td>`).join('')}
        </tr>`).join('')}
      </tbody>
    </table>`