in [source:/trunk/modules/ViewDataTable.php] method
Is this safe? We use
Piwik_Common::getRequestVar() to sanitize the value but is it safe enough? Or could some hijacking/xss/etc be possible here?
Just a suggestion - you probably only want to sanitize HTML tags and quotes. The actual data of the request should be left as is as much as possible, or at least kept in strings when output to JS.
That said, just about anything can get past a typical filter these days - have a brief glance through (ha.ckers.org/xss.html) this cheat sheet for XSS], it's clearly impractical to protect data against just about anything. As long as arbitrary JS can't go straight from the URL to the scripts (unless this is intentional, of course), there really is no cause for concern.
The htmlspecialchars() in Piwik_Common::getRequestVar() is sufficient, and maybe an addslashes() somewhere is an option.
(In ) - fix #5498 Thanks for your help on this Draicone. Added addslashes() to the values printed in the JS footer of the datatables