DataTables Security

DataTables Security

cssnoobcssnoob Posts: 3Questions: 1Answers: 0
edited June 2021 in General

Hi everyone,

I am very new to javascript, html, and datatables. I applied this this datatable verbatim to my HTML table successfully.

After reviewing the Security page, I just want to make sure of a few points.
* Unless something external breaks through my organization's firewall, will the data within the table being displayed remain safe?
* I don't have admin privileges to my my machine, and my browser settings are set to strict. Should I avoid a particular browser? My organization uses Edge, Chrome and Internet Explorer.
* Other than implementing the above data table code and scripts, is there anything else I should do?

Edit: I forgot to add - the page will be displayed locally only, not on some server. But I still have internet access.

Thanks,
cssnoob

Answers

  • allanallan Posts: 63,494Questions: 1Answers: 10,470 Site admin

    Unless something external breaks through my organization's firewall, will the data within the table being displayed remain safe?

    It depends what you mean by safe here. If you don't want anyone else to be able to view the data, that you would need to prevent the page the table is on from being visible on the web (DataTables doesn't "call home" if that is what you are asking).

    But if someone had access to view the page, they would be able to view (and scrape) the data.

    I don't have admin privileges to my my machine, and my browser settings are set to strict. Should I avoid a particular browser? My organization uses Edge, Chrome and Internet Explorer.

    IE is no longer supported by Microsoft, so any security vulnerabilities found in it, will not be patched by Microsoft. So I would suggest not using IE for this point alone, but that will be down to a company IT decision.

    DataTables itself will work fine on those browsers and doesn't trigger any security issues in them.

    Other than implementing the above data table code and scripts, is there anything else I should do?

    From a DataTables point of view, the key question is, are you going to be showing unsanitised user input data. If so, then you must use the text renderer, noted on the security page under the XSS section.

    Allan

  • cssnoobcssnoob Posts: 3Questions: 1Answers: 0
    edited June 2021

    Hi Allan,

    I really appreciate your reply.

    By safe, I meant from any internal or external attacks. I will only be sharing this page internally within my organization to a few specific people. So yes, in theory they could open up the HTML file and take the data (in this case, that is fine). I assume the only way to prevent this is if I actually host it on a server that calls the files from a different location.

    As for your last comment - I am not sure if I fully understand. The people who I share this HTML page with won't be inputting data or modifying any data within the table itself. They may provide information in the search bar (see first link in my original post for what I mean) to narrow down specific results within the table though.

    Thanks,
    cssnoob

  • allanallan Posts: 63,494Questions: 1Answers: 10,470 Site admin

    So yes, in theory they could open up the HTML file and take the data (in this case, that is fine).

    Correct.

    I assume the only way to prevent this is if I actually host it on a server that calls the files from a different location.

    You would prevent this by hosting the page on a server which can only be accessed locally in your organisation. If it is a public facing web-page, then anyone with the URL can access it.

    The people who I share this HTML page with won't be inputting data or modifying any data within the table itself.

    Okay. No risk of showing unescaped HTML in the table then. You are perfectly safe here.

    Allan

  • cssnoobcssnoob Posts: 3Questions: 1Answers: 0

    Hi Allan,

    I really appreciate your help. Thank you very much.

Sign In or Register to comment.