CMK-344

Titletable.cell(): Fix escaping of cell content
ComponentGUI
Date2018-02-20
StateNew
ClassBug


The content of the cell, that can be provided via argument, is not escaped by default. This opens several places for XSS attacks. We need to make this method escape the content by default. In case one wants to add HTML code there, it must be wrapped into a HTML() object or written out after table.cell() with html.write(...). There may be several places where wanted HTML code is "destroyed". Can we somehow find these places?