From 41ae13ea3a65e4b5330957a9cc1fb5efa2b27212 Mon Sep 17 00:00:00 2001
From: asier-isayas <asier.isayas@gmail.com>
Date: Tue, 26 May 2026 16:44:10 -0400
Subject: [PATCH] Fix stored XSS via Cassandra column names in DataTable
 headers (#2499)

Co-authored-by: Asier Isayas <aisayas@microsoft.com>
---
 src/Explorer/Tables/DataTable/DataTableBindingManager.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Explorer/Tables/DataTable/DataTableBindingManager.ts b/src/Explorer/Tables/DataTable/DataTableBindingManager.ts
index 41a1d49e4..f786e9ee4 100644
--- a/src/Explorer/Tables/DataTable/DataTableBindingManager.ts
+++ b/src/Explorer/Tables/DataTable/DataTableBindingManager.ts
@@ -93,7 +93,7 @@ function createDataTable(
 
   for (var i = 0; i < tableEntityListViewModel.headers.length; i++) {
     jsonColTable.push({
-      sTitle: tableEntityListViewModel.headers[i],
+      sTitle: Utilities.htmlEncode(tableEntityListViewModel.headers[i]),
       data: tableEntityListViewModel.headers[i],
       aTargets: [i],
       mRender: bindColumn,