From 38993e0b6704dc93956044a0295eff54f212d0d1 Mon Sep 17 00:00:00 2001 From: Przemyslaw Klys Date: Thu, 5 Jun 2025 22:16:11 +0200 Subject: [PATCH 1/3] =?UTF-8?q?fix(New-HTMLTable):=20=F0=9F=90=9B=20Escape?= =?UTF-8?q?=20HTML=20characters=20when=20InvokeHTMLTags=20is=20not=20set?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Ensure HTML characters are escaped to prevent breaking JavaScript code. * This change applies to both data insertion scenarios in the `New-HTMLTable` function. --- Public/New-HTMLTable.ps1 | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/Public/New-HTMLTable.ps1 b/Public/New-HTMLTable.ps1 index ec64681f..84dce713 100644 --- a/Public/New-HTMLTable.ps1 +++ b/Public/New-HTMLTable.ps1 @@ -1308,6 +1308,12 @@ ArrayJoinString = $Script:HTMLSchema['TableOptions']['DataStoreOptions'].ArrayJoinString } $DataToInsert = $Table | ConvertTo-PrettyObject @convertToPrettyObjectSplat | ConvertTo-Json + if (-not $InvokeHTMLTags) { + # If InvokeHTMLTags is not set, we need to escape HTML characters + # By default HTML tags are escaped when using DataStore HTML, but not when using JavaScript + # So we need to escape them here, so they don't break the JavaScript code + $DataToInsert = $DataToInsert -replace "<", "<" -replace ">" + } if ($DataToInsert.StartsWith('[')) { $Script:HTMLSchema.CustomFooterJS[$DataStoreID] = "var $DataStoreID = $DataToInsert;" } else { @@ -1328,6 +1334,12 @@ ArrayJoinString = $Script:HTMLSchema['TableOptions']['DataStoreOptions'].ArrayJoinString } $DataToInsert = $Table | ConvertTo-PrettyObject @convertToPrettyObjectSplat | ConvertTo-Json + if (-not $InvokeHTMLTags) { + # If InvokeHTMLTags is not set, we need to escape HTML characters + # By default HTML tags are escaped when using DataStore HTML, but not when using JavaScript + # So we need to escape them here, so they don't break the JavaScript code + $DataToInsert = $DataToInsert -replace "<", "<" -replace ">", ">" + } if ($DataToInsert.StartsWith('[')) { $Options = $Options.Replace('"markerForDataReplacement"', $DataToInsert) } else { From 056e2734a9dfb13d926d64c098763238c9a1e4be Mon Sep 17 00:00:00 2001 From: Przemyslaw Klys Date: Thu, 5 Jun 2025 22:18:28 +0200 Subject: [PATCH 2/3] =?UTF-8?q?feat(Example-TableWithTags):=20=E2=9C=A8=20?= =?UTF-8?q?Add=20example=20for=20generating=20HTML=20table=20with=20tags?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Introduced a new example script to demonstrate the usage of `New-HTMLTable` with HTML tags. * The example includes options for JavaScript data storage and formatting. --- .../Example-TableWithTags/Example-TableWithTags.ps1 | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 Examples/Example-TableWithTags/Example-TableWithTags.ps1 diff --git a/Examples/Example-TableWithTags/Example-TableWithTags.ps1 b/Examples/Example-TableWithTags/Example-TableWithTags.ps1 new file mode 100644 index 00000000..8569d1ee --- /dev/null +++ b/Examples/Example-TableWithTags/Example-TableWithTags.ps1 @@ -0,0 +1,12 @@ +Import-Module .\PSWriteHTML.psd1 -Force + +$test = "" +New-HTML { + New-HTMLTableOption -DataStore JavaScript -BoolAsString -ArrayJoinString '
' -ArrayJoin + + New-HTMLTab -Name 'Forest' { + New-HTMLSection -HeaderText 'Summary' { + New-HTMLTable -DataTable $test + } + } +} -ShowHTML -FilePath "$PSScriptRoot\Example-TableWithTags.html" -Online From f8e8e5006a588447f46809fee00b88d9140493d1 Mon Sep 17 00:00:00 2001 From: Przemyslaw Klys Date: Thu, 4 Sep 2025 16:51:28 +0200 Subject: [PATCH 3/3] =?UTF-8?q?fix:=20=F0=9F=90=9B=20Escape=20'>'=20charac?= =?UTF-8?q?ter=20in=20JavaScript=20data=20insertion?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Updated the data insertion logic to properly escape the '>' character in addition to '<'. * This change prevents potential issues with JavaScript code execution when HTML tags are included in the data. --- Public/New-HTMLTable.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Public/New-HTMLTable.ps1 b/Public/New-HTMLTable.ps1 index af9f6492..75395fea 100644 --- a/Public/New-HTMLTable.ps1 +++ b/Public/New-HTMLTable.ps1 @@ -1325,7 +1325,7 @@ # If InvokeHTMLTags is not set, we need to escape HTML characters # By default HTML tags are escaped when using DataStore HTML, but not when using JavaScript # So we need to escape them here, so they don't break the JavaScript code - $DataToInsert = $DataToInsert -replace "<", "<" -replace ">" + $DataToInsert = $DataToInsert -replace "<", "<" -replace ">", ">" } if ($DataToInsert.StartsWith('[')) { $Script:HTMLSchema.CustomFooterJS[$DataStoreID] = "var $DataStoreID = $DataToInsert;"