Skip to content

Commit 1adf122

Browse files
committed
Escape html for table cell
Signed-off-by: Yukai Huang <yukaihuangtw@gmail.com>
1 parent b29d2c0 commit 1adf122

File tree

1 file changed

+4
-3
lines changed

1 file changed

+4
-3
lines changed

public/js/lib/renderer/csvpreview.js

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,5 @@
11
import Papa from 'papaparse'
2+
import escapeHTML from 'lodash/escape'
23

34
const safeParse = d => {
45
try {
@@ -22,20 +23,20 @@ export function renderCSVPreview (csv, options = {}, attr = '') {
2223
return `<table ${attr}>
2324
<thead>
2425
<tr>
25-
${fields.map(f => `<th>${f}</th>`).join('')}
26+
${fields.map(f => `<th>${escapeHTML(f)}</th>`).join('')}
2627
</tr>
2728
</thead>
2829
<tbody>
2930
${results.data.map(d => `<tr>
30-
${fields.map(f => `<td>${d[f]}</td>`).join('')}
31+
${fields.map(f => `<td>${escapeHTML(d[f])}</td>`).join('')}
3132
</tr>`).join('')}
3233
</tbody>
3334
</table>`
3435
} else {
3536
return `<table ${attr}>
3637
<tbody>
3738
${results.data.map(d => `<tr>
38-
${d.map(f => `<td>${f}</td>`).join('')}
39+
${d.map(f => `<td>${escapeHTML(f)}</td>`).join('')}
3940
</tr>`).join('')}
4041
</tbody>
4142
</table>`

0 commit comments

Comments
 (0)