Closed
Description
Using a column defined as [<script type='text/javascript'>alert('qqq')</script>]
, the column header when selecting * for the table will be blank. This implies that the column header is being interpreted as javascript, thus this is a javascript injection bug.
Fortunately, there's not a large impact for this bug since 1) column names that are js script tags are highly unlikely, and likely only going to cause a js injection on yourself, and 2) the webview prevents requests to outside its origin (ie, localhost).
Nevertheless this is a issue that should be fixed like we fixed it in the cells.
Activity
benrr101 commentedon Mar 27, 2017
Fixed in #795