If you give the mdt-table directive an mdt-row with data, it will gladly turn whatever's in data in to HTML and run scripts.
Workaround:
In TableDataStorageService.prototype.addRowData, iterate rowArray and sanitize.
for(var i in rowArray) {
if(rowArray[i].value && (typeof rowArray[i].value === 'string' || rowArray[i].value.constructor === String)) {
rowArray[i].value = rowArray[i].value.
replace(/<script[^>]*?>.*?<\/script>/gi, '').
replace(/<[\/\!]*?[^<>]*?>/gi, '').
replace(/<style[^>]*?>.*?<\/style>/gi, '').
replace(/<![\s\S]*?--[ \t\n\r]*>/gi, '');
}
}
If you give the
mdt-tabledirective anmdt-rowwithdata, it will gladly turn whatever's indatain to HTML and run scripts.Workaround:
In
TableDataStorageService.prototype.addRowData, iteraterowArrayand sanitize.