fix: replace leftover innerHTML assignment with CSP safe approach (#912)

Author: ghiscoding

examples/example4-model-html-formatters.html

@@ -6,6 +6,7 @@
   <title>SlickGrid example 4: Model</title>
   <link rel="stylesheet" href="../dist/styles/css/slick.customtooltip.css" type="text/css" />
   <link rel="stylesheet" href="../dist/styles/css/slick.columnpicker.css" type="text/css"/>
+  <link rel="stylesheet" href="../dist/styles/css/slick.gridmenu.css" type="text/css"/>
   <link rel="stylesheet" href="../dist/styles/css/slick.pager.css" type="text/css"/>
   <link rel="stylesheet" href="../dist/styles/css/slick-icons.css" type="text/css"/>
   <link rel="stylesheet" href="../dist/styles/css/example-demo.css" type="text/css"/>
@@ -131,7 +132,6 @@ <h2>View Source:</h2>
 
 <script src="https://cdn.jsdelivr.net/npm/flatpickr"></script>
 <script src="https://cdn.jsdelivr.net/npm/sortablejs/Sortable.min.js"></script>
-<script src="sortable-cdn-fallback.js"></script>
 
 <script type="module">
 import {
@@ -142,6 +142,7 @@ <h2>View Source:</h2>
   SlickColumnPicker,
   SlickDataView,
   SlickCustomTooltip,
+  SlickGridMenu,
   SlickGridPager,
   SlickGrid,
   Utils,
@@ -174,6 +175,9 @@ <h2>View Source:</h2>
     forceFitTitle: "Force fit columns",
     syncResizeTitle: "Synchronous resize",
   },
+  gridMenu: {
+    iconCssClass: "sgi sgi-menu sgi-17px",    // you can provide iconImage OR iconCssClass
+  },
   editable: true,
   enableAddRow: true,
   enableCellNavigation: true,
@@ -312,12 +316,13 @@ <h2>View Source:</h2>
     d["effortDriven"] = (i % 5 == 0);
   }
 
-  dataView = new SlickDataView({ inlineFilters: true });
+  dataView = new SlickDataView({ inlineFilters: true, useCSPSafeFilter: true });
   grid = new SlickGrid("#myGrid", dataView, columns, options);
   grid.setSelectionModel(new SlickRowSelectionModel());
 
   let pager = new SlickGridPager(dataView, grid, "#pager");
   let columnpicker = new SlickColumnPicker(columns, grid, options);
+  let gridMenu = new SlickGridMenu(columns, grid, options);
 
   const customTooltipPlugin = new SlickCustomTooltip();
   grid.registerPlugin(customTooltipPlugin);

examples/index.html

@@ -128,7 +128,7 @@ <h2>Other Features</h2>
       <li><a href="./example-column-hidden.html">Grid with Hidden Columns</a></li>
       <li><a href="./example-frozen-columns-and-column-group-hidden-col.html">Frozen Grid with Hidden Columns</a></li>
       <li><a href="./example-csp-header.html">CSP Header (Content Security Policy)</a></li>
-      <li><a href="./example4-model-html-formatters.html">Filtered DataView with HTML Formatter - CSP Header (Content Security Policy)</a></li>
+      <li><a href="./example4-model-html-formatters.html">Custom Formatter using native HTML</a></li>
     </ul>
   </div>
 

src/controls/slick.columnmenu.ts

@@ -157,7 +157,7 @@ export class SlickColumnMenu {
 
       const labelElm = document.createElement('label');
       labelElm.htmlFor = `${this._gridUid}colpicker-${columnId}`;
-      labelElm.innerHTML = this.grid.sanitizeHtmlString(columnLabel instanceof HTMLElement ? columnLabel.innerHTML : columnLabel);
+      this.grid.applyHtmlCode(labelElm, columnLabel);
       liElm.appendChild(labelElm);
       this._listElm.appendChild(liElm);
     }
@@ -249,9 +249,7 @@ export class SlickColumnMenu {
 
   /** Update the Titles of each sections (command, customTitle, ...) */
   updateAllTitles(pickerOptions: { columnTitle: string; }) {
-    if (this._columnTitleElm?.innerHTML) {
-      this._columnTitleElm.innerHTML = this.grid.sanitizeHtmlString(pickerOptions.columnTitle);
-    }
+    this.grid.applyHtmlCode(this._columnTitleElm, pickerOptions.columnTitle);
   }
 
   updateColumn(e: DOMMouseOrTouchEvent<HTMLInputElement>) {

src/controls/slick.columnpicker.ts

@@ -158,7 +158,7 @@ export class SlickColumnPicker {
 
       const labelElm = document.createElement('label');
       labelElm.htmlFor = `${this._gridUid}colpicker-${columnId}`;
-      labelElm.innerHTML = this.grid.sanitizeHtmlString(columnLabel instanceof HTMLElement ? columnLabel.innerHTML : columnLabel);
+      this.grid.applyHtmlCode(labelElm, columnLabel);
       liElm.appendChild(labelElm);
       this._listElm.appendChild(liElm);
     }
@@ -250,9 +250,7 @@ export class SlickColumnPicker {
 
   /** Update the Titles of each sections (command, customTitle, ...) */
   updateAllTitles(pickerOptions: { columnTitle: string; }) {
-    if (this._columnTitleElm?.innerHTML) {
-      this._columnTitleElm.innerHTML = this.grid.sanitizeHtmlString(pickerOptions.columnTitle);
-    }
+    this.grid.applyHtmlCode(this._columnTitleElm, pickerOptions.columnTitle);
   }
 
   protected updateColumn(e: DOMMouseOrTouchEvent<HTMLInputElement>) {

src/controls/slick.gridmenu.ts

@@ -393,7 +393,7 @@ export class SlickGridMenu {
     if (!isSubMenu && (this._gridMenuOptions?.commandTitle || this._gridMenuOptions?.customTitle)) {
       this._commandTitleElm = document.createElement('div');
       this._commandTitleElm.className = 'title';
-      this._commandTitleElm.innerHTML = this.grid.sanitizeHtmlString((this._gridMenuOptions.commandTitle || this._gridMenuOptions.customTitle) as string);
+      this.grid.applyHtmlCode(this._commandTitleElm, this.grid.sanitizeHtmlString((this._gridMenuOptions.commandTitle || this._gridMenuOptions.customTitle) as string));
       commandListElm.appendChild(this._commandTitleElm);
     }
 
@@ -461,7 +461,7 @@ export class SlickGridMenu {
 
       const textElm = document.createElement('span');
       textElm.className = 'slick-gridmenu-content';
-      textElm.innerHTML = this.grid.sanitizeHtmlString((item as GridMenuItem).title || '');
+      this.grid.applyHtmlCode(textElm, this.grid.sanitizeHtmlString((item as GridMenuItem).title || ''));
 
       liElm.appendChild(textElm);
 
@@ -512,7 +512,7 @@ export class SlickGridMenu {
     if (this._gridMenuOptions?.columnTitle) {
       this._columnTitleElm = document.createElement('div');
       this._columnTitleElm.className = 'title';
-      this._columnTitleElm.innerHTML = this.grid.sanitizeHtmlString(this._gridMenuOptions.columnTitle);
+      this.grid.applyHtmlCode(this._columnTitleElm, this.grid.sanitizeHtmlString(this._gridMenuOptions.columnTitle));
       this._menuElm.appendChild(this._columnTitleElm);
     }
 
@@ -592,7 +592,7 @@ export class SlickGridMenu {
 
       const labelElm = document.createElement('label');
       labelElm.htmlFor = `${this._gridUid}-gridmenu-colpicker-${columnId}`;
-      labelElm.innerHTML = this.grid.sanitizeHtmlString((columnLabel instanceof HTMLElement ? columnLabel.innerHTML : columnLabel) || '');
+      this.grid.applyHtmlCode(labelElm, this.grid.sanitizeHtmlString((columnLabel instanceof HTMLElement ? columnLabel.innerHTML : columnLabel) || ''));
       liElm.appendChild(labelElm);
       this._listElm.appendChild(liElm);
     }
@@ -760,11 +760,11 @@ export class SlickGridMenu {
 
   /** Update the Titles of each sections (command, commandTitle, ...) */
   updateAllTitles(gridMenuOptions: GridMenuOption) {
-    if (this._commandTitleElm?.innerHTML) {
-      this._commandTitleElm.innerHTML = this.grid.sanitizeHtmlString(gridMenuOptions.commandTitle || gridMenuOptions.customTitle || '');
+    if (this._commandTitleElm) {
+      this.grid.applyHtmlCode(this._commandTitleElm, this.grid.sanitizeHtmlString(gridMenuOptions.commandTitle || gridMenuOptions.customTitle || ''));
     }
-    if (this._columnTitleElm?.innerHTML) {
-      this._columnTitleElm.innerHTML = this.grid.sanitizeHtmlString(gridMenuOptions.columnTitle || '');
+    if (this._columnTitleElm) {
+      this.grid.applyHtmlCode(this._columnTitleElm, this.grid.sanitizeHtmlString(gridMenuOptions.columnTitle || ''));
     }
   }
 

src/plugins/slick.cellmenu.ts

@@ -333,7 +333,7 @@ export class SlickCellMenu implements SlickPlugin {
       const spanCloseElm = document.createElement('span');
       spanCloseElm.className = 'close';
       spanCloseElm.ariaHidden = 'true';
-      spanCloseElm.innerHTML = '×';
+      spanCloseElm.textContent = '×';
       closeButtonElm.appendChild(spanCloseElm);
     }
 

src/plugins/slick.customtooltip.ts

@@ -263,7 +263,7 @@ export class SlickCustomTooltip {
    */
   protected renderRegularTooltip(formatterOrText: Formatter | string | undefined, cell: { row: number; cell: number; }, value: any, columnDef: Column, item: any) {
     const tmpDiv = document.createElement('div');
-    tmpDiv.innerHTML = this.parseFormatterAndSanitize(formatterOrText, cell, value, columnDef, item);
+    this._grid.applyHtmlCode(tmpDiv, this.parseFormatterAndSanitize(formatterOrText, cell, value, columnDef, item));
     let tooltipText = columnDef.toolTip || '';
     let tmpTitleElm;
 
@@ -427,12 +427,12 @@ export class SlickCustomTooltip {
    * Parse the Custom Formatter (when provided) or return directly the text when it is already a string.
    * We will also sanitize the text in both cases before returning it so that it can be used safely.
    */
-  protected parseFormatterAndSanitize(formatterOrText: Formatter | string | undefined, cell: { row: number; cell: number; }, value: any, columnDef: Column, item: unknown): string {
+  protected parseFormatterAndSanitize(formatterOrText: Formatter | string | undefined, cell: { row: number; cell: number; }, value: any, columnDef: Column, item: unknown): string | HTMLElement {
     if (typeof formatterOrText === 'function') {
       const tooltipResult = formatterOrText(cell.row, cell.cell, value, columnDef, item, this._grid);
-      let formatterText = (Object.prototype.toString.call(tooltipResult) !== '[object Object]' ? tooltipResult : (tooltipResult as FormatterResultWithHtml).html || (tooltipResult as FormatterResultWithText).text);
+      const formatterText = (Object.prototype.toString.call(tooltipResult) !== '[object Object]' ? tooltipResult : (tooltipResult as FormatterResultWithHtml).html || (tooltipResult as FormatterResultWithText).text);
       if (formatterText instanceof HTMLElement) {
-        formatterText = formatterText.outerHTML;
+        return formatterText;
       }
       return this._grid.sanitizeHtmlString(formatterText as string);
     } else if (typeof formatterOrText === 'string') {
@@ -450,15 +450,27 @@ export class SlickCustomTooltip {
     this._tooltipElm.classList.add('l' + cell.cell);
     this._tooltipElm.classList.add('r' + cell.cell);
     let outputText = tooltipText || this.parseFormatterAndSanitize(formatter, cell, value, columnDef, item) || '';
-    outputText = (this._cellTooltipOptions.tooltipTextMaxLength && outputText.length > this._cellTooltipOptions.tooltipTextMaxLength) ? outputText.substring(0, this._cellTooltipOptions.tooltipTextMaxLength - 3) + '...' : outputText;
+    if (outputText instanceof HTMLElement) {
+      const content = outputText.textContent || '';
+      if (this._cellTooltipOptions.tooltipTextMaxLength && content.length > this._cellTooltipOptions.tooltipTextMaxLength) {
+        outputText.textContent = content.substring(0, this._cellTooltipOptions.tooltipTextMaxLength - 3) + '...';
+      }
+    } else {
+      outputText = (this._cellTooltipOptions.tooltipTextMaxLength && outputText.length > this._cellTooltipOptions.tooltipTextMaxLength) ? outputText.substring(0, this._cellTooltipOptions.tooltipTextMaxLength - 3) + '...' : outputText;
+    }
 
     let finalOutputText = '';
     if (!tooltipText || (this._cellTooltipOptions?.renderRegularTooltipAsHtml)) {
-      finalOutputText = this._grid.sanitizeHtmlString(outputText);
-      this._tooltipElm.innerHTML = finalOutputText;
+      if (outputText instanceof HTMLElement) {
+        this._grid.applyHtmlCode(this._tooltipElm, outputText);
+        finalOutputText = this._grid.sanitizeHtmlString(outputText.textContent || '');
+      } else {
+        finalOutputText = this._grid.sanitizeHtmlString(outputText);
+        this._tooltipElm.innerHTML = finalOutputText;
+      }
       this._tooltipElm.style.whiteSpace = this._cellTooltipOptions?.whiteSpace ?? this._defaults.whiteSpace as string;
     } else {
-      finalOutputText = outputText || '';
+      finalOutputText = (outputText instanceof HTMLElement ? outputText.textContent : outputText) || '';
       this._tooltipElm.textContent = finalOutputText;
       this._tooltipElm.style.whiteSpace = this._cellTooltipOptions?.regularTooltipWhiteSpace ?? this._defaults.regularTooltipWhiteSpace as string; // use `pre` so that sequences of white space are collapsed. Lines are broken at newline characters
     }
@@ -484,7 +496,7 @@ export class SlickCustomTooltip {
       }
 
       // also clear any "title" attribute to avoid showing a 2nd browser tooltip
-      this.swapAndClearTitleAttribute(inputTitleElm, outputText);
+      this.swapAndClearTitleAttribute(inputTitleElm, (outputText instanceof HTMLElement ? outputText.textContent : outputText) || '');
     }
   }
 

src/slick.grid.ts

@@ -526,13 +526,15 @@ export class SlickGrid<TData = any, C extends Column<TData> = Column<TData>, O e
    * @param val - input value can be either a string or an HTMLElement
    */
   applyHtmlCode(target: HTMLElement, val: string | HTMLElement) {
-    if (val instanceof HTMLElement) {
-      target.appendChild(val);
-    } else {
-      if (this._options.enableHtmlRendering) {
-        target.innerHTML = this.sanitizeHtmlString(val as string);
+    if (target) {
+      if (val instanceof HTMLElement) {
+        target.appendChild(val);
       } else {
-        target.textContent = this.sanitizeHtmlString(val as string);
+        if (this._options.enableHtmlRendering) {
+          target.innerHTML = this.sanitizeHtmlString(val as string);
+        } else {
+          target.textContent = this.sanitizeHtmlString(val as string);
+        }
       }
     }
   }
@@ -3937,11 +3939,7 @@ export class SlickGrid<TData = any, C extends Column<TData> = Column<TData>, O e
     // if there is a corresponding row (if not, this is the Add New row or this data hasn't been loaded yet)
     if (item) {
       const cellResult = (Object.prototype.toString.call(formatterResult) !== '[object Object]' ? formatterResult : (formatterResult as FormatterResultWithHtml).html || (formatterResult as FormatterResultWithText).text);
-      if (cellResult instanceof HTMLElement) {
-        cellDiv.appendChild(cellResult);
-      } else {
-        cellDiv.innerHTML = this.sanitizeHtmlString(cellResult as string);
-      }
+      this.applyHtmlCode(cellDiv, cellResult as string | HTMLElement);
     }
 
     divRow.appendChild(cellDiv);
@@ -4625,7 +4623,7 @@ export class SlickGrid<TData = any, C extends Column<TData> = Column<TData>, O e
     }
 
     const x = document.createElement('div');
-    x.innerHTML = this.sanitizeHtmlString(divRow.outerHTML);
+    x.appendChild(divRow);
 
     let processedRow: number | null | undefined;
     let node: HTMLElement;