Datasets: Fixed HTML sanitation in datasets table (#2698)

views/dataset-dataentry-page.twig

@@ -86,7 +86,33 @@
         var multiSelectTitleTrans = "{% trans "Multi Select Mode" %}";
         var editModeHelpTrans = "{% trans "Click on any row to edit" %}";
         var multiSelectHelpTrans = "{% trans "Select one or more rows to delete" %}";
+        const entityMap = {
+            '&': '&',
+            '<': '&lt;',
+            '>': '&gt;',
+            '"': '&quot;',
+            "'": '&#39;',
+            '/': '&#x2F;',
+            '`': '&#x60;',
+            '=': '&#x3D;'
+        };
+
+        function sanitizeHtml(string) {
+            return String(string).replace(/[&<>"'`=\/]/g, function (s) {
+                return entityMap[s];
+            });
+        }
+
+        function validateHTMLData(str) {
+            let doc = new DOMParser().parseFromString(str, "text/html");
+
+            // If valid html, sanitize and format as a code
+            if (Array.from(doc.body.childNodes).some(node => node.nodeType === 1)) {
+                return `<code>${sanitizeHtml(str)}</code>`;
+            }
 
+            return str;
+        }
 
         cols.push({ "name": "id", "data": "id" });
         {% for col in dataSet.getColumn() %}
@@ -104,7 +130,13 @@
                     }
                 });
             {% else %}
-                cols.push({ "data": "{{ col.heading }}", "orderable": {% if col.showSort == 1 %}true{% else %}false{% endif %} });
+                cols.push({
+                    "data": "{{ col.heading }}",
+                    "orderable": {% if col.showSort == 1 %}true{% else %}false{% endif %},
+                    "render": function(data) {
+                        return validateHTMLData(data);
+                    }
+                });
             {% endif %}
         {% endfor %}