Suggestion: add anti-XSS measures

[fokkog]

After doing some POC development with ABP Framework I am greatly impressed, finding it a tremendous productivity booster. One thing I did notice is that the DataTables grids I initially ended up with show unencoded data. This is visible in the starter template, by entering this role name:
<script>alert('xss');</script>
This is also visible in the tutorial results, by entering this value as a book name. In both cases the JavaScript gets executed and the alert gets displayed.

One way to prevent this is to add a render function for data columns (see also https://datatables.net/manual/data/renderers#Text-helper):
render: $.fn.dataTable.render.text()

Version: 4.2.2
User interface: MVC / Razor Pages
Database provider: n/a
Exception message/stack trace: n/a

[maliming]

See #8114

[fokkog]

My bad for raising a duplicate issue. I did a Google search and found nothing, should have done a GitHub issue search.

[realLiangshiwei]

We should var name = '<span>' + $.fn.dataTable.render.text().display(data) + '</span>'; //prevent against possible XSS

abp/modules/identity/src/Volo.Abp.Identity.Web/Pages/Identity/Roles/index.js

Line 87 in 0c89ff5

var name = '<span>' + data + '</span>';