XSS on tasks page

[nt0xa]

When task url is for example like http://localhost/?q=<script>alert(1)</script>
you can see alert on /tasks page:

This happened because data was not properly escaped here:
https://github.com/mher/flower/blob/master/flower/static/js/flower.js#L800-L804

The fix for this issue I think will be like this:

  }, {
    targets: 4,
    data: 'kwargs',
    visible: isColumnVisible('kwargs'),
    render: function (data) {
        var entityMap = {
            '&': '&',
            '<': '&lt;',
            '>': '&gt;',
            '"': '&quot;',
            '\'': '&#39;',
            '/': '&#x2F;'
        };
        return data.replace(/[&<>"'\/]/g, function (s) {
            return entityMap[s];
        });
    }
}, {

Or like this:

}, {
    targets: 4,
    data: 'kwargs',
    visible: isColumnVisible('kwargs'),
    render: $.fn.dataTable.render.text()
}, {

$.fn.dataTable.render.text appeared in DataTables 1.10.10 (see https://datatables.net/manual/security)

[mher]

Fixed by #650