06b63b67ef3e2fc344d7b846a2316ba86030169d Fix: Security (CodeQL) - pot…

…ential for `<script>` injection if done with multiple nesting

Fix: CodeQL warning - Multiple character replacement (wouldn't actually cause an issue due to the fact that the string was already limited to a single character, but for completeness, the regex would catch multiple characters now.
Fix: Use built in HTML striping function to read title from header - no security impact.
Fix: For state saved child row state, only escape `:` characters if not already escaped.

Sync to source repo @06b63b67ef3e2fc344d7b846a2316ba86030169d

datatables.json

@@ -11,5 +11,5 @@
     ],
     "src-repo": "http://github.com/DataTables/DataTablesSrc",
     "last-tag": "2.0.3",
-    "last-sync": "26a9c2f7f10d1b0f41009a6476b9784674c4767b"
+    "last-sync": "06b63b67ef3e2fc344d7b846a2316ba86030169d"
 }

js/dataTables.js

@@ -1284,10 +1284,19 @@
 	};
 
 	// Replaceable function in api.util
-	var _stripHtml = function ( d ) {
-		return d
-			.replace( _re_html, '' ) // Complete tags
-			.replace(/<script/i, ''); // Safety for incomplete script tag
+	var _stripHtml = function (input) {
+		var previous;
+
+		input = input.replace(_re_html, ''); // Complete tags
+
+		// Safety for incomplete script tag - use do / while to ensure that
+		// we get all instances
+		do {
+			previous = input;
+			input = input.replace(/<script/i, '');
+		} while (input !== previous);
+
+		return previous;
 	};
 
 	// Replaceable function in api.util
@@ -3887,7 +3896,7 @@
 								}
 
 								if (! columnDef.sTitle && unique) {
-									columnDef.sTitle = cell.innerHTML.replace( /<.*?>/g, "" );
+									columnDef.sTitle = _stripHtml(cell.innerHTML);
 									columnDef.autoTitle = true;
 								}
 							}
@@ -4508,7 +4517,7 @@
 					word = '';
 				}
 
-				return word.replace('"', '');
+				return word.replace(/"/g, '');
 			} );
 
 			var match = not.length
@@ -7934,8 +7943,9 @@
 	{
 		if ( state && state.childRows ) {
 			api
-				.rows( state.childRows.map(function (id){
-					return id.replace(/:/g, '\\:')
+				.rows( state.childRows.map(function (id) {
+					// Escape any `:` characters from the row id, unless previously escaped
+					return id.replace(/(?<!\\):/g, '\\:');
 				}) )
 				.every( function () {
 					_fnCallbackFire( api.settings()[0], null, 'requestChild', [ this ] )

js/dataTables.mjs

@@ -1231,10 +1231,19 @@ var _removeEmpty = function ( a )
 };
 
 // Replaceable function in api.util
-var _stripHtml = function ( d ) {
-	return d
-		.replace( _re_html, '' ) // Complete tags
-		.replace(/<script/i, ''); // Safety for incomplete script tag
+var _stripHtml = function (input) {
+	var previous;
+
+	input = input.replace(_re_html, ''); // Complete tags
+
+	// Safety for incomplete script tag - use do / while to ensure that
+	// we get all instances
+	do {
+		previous = input;
+		input = input.replace(/<script/i, '');
+	} while (input !== previous);
+
+	return previous;
 };
 
 // Replaceable function in api.util
@@ -3834,7 +3843,7 @@ function _fnDetectHeader ( settings, thead, write )
 							}
 
 							if (! columnDef.sTitle && unique) {
-								columnDef.sTitle = cell.innerHTML.replace( /<.*?>/g, "" );
+								columnDef.sTitle = _stripHtml(cell.innerHTML);
 								columnDef.autoTitle = true;
 							}
 						}
@@ -4455,7 +4464,7 @@ function _fnFilterCreateSearch( search, inOpts )
 				word = '';
 			}
 
-			return word.replace('"', '');
+			return word.replace(/"/g, '');
 		} );
 
 		var match = not.length
@@ -7881,8 +7890,9 @@ var __details_state_load = function (api, state)
 {
 	if ( state && state.childRows ) {
 		api
-			.rows( state.childRows.map(function (id){
-				return id.replace(/:/g, '\\:')
+			.rows( state.childRows.map(function (id) {
+				// Escape any `:` characters from the row id, unless previously escaped
+				return id.replace(/(?<!\\):/g, '\\:');
 			}) )
 			.every( function () {
 				_fnCallbackFire( api.settings()[0], null, 'requestChild', [ this ] )