I am happy to announce that Handsontable 8.2.0 is here! In this version, we took special care to improve security against XSS attacks. We also adapted the sorting plugin to benefit from the changes brought by version 8.0.0. This release also brings several minor fixes. All of the wrappers (for React, Angular, and Vue) support 8.2.0 in their newest versions.

Security update – sanitization and a new helper method

Recently, we decided to put Handsontable under an external audit. The results showed that there was an area to improve – our defense mechanism against XSS attacks. We decided to implement a solution that can be trusted, so we used a widely recommended library that sanitizes HTML – DOMPurify. It is used as a sanitizer wherever required across Handsontable. Additionally, the library was implemented to be used as a helper method: Handsontable.helper.sanitize. You can use this function to remove unwanted parts based on DOMPurify’s configuration in order to sanitize text the way you need. As a default, the helper leaves HTML tags but removes any potentially dangerous attributes. You can find more information about this topic in the issue description here.

A new type of index mapper

Apart from making the component more secure, we also spent time improving plugins. We implemented the architectural solution introduced in Handsontable 8.0.0 into the sorting plugin, giving it a more stable and predictable system for index management. Thanks to this change, an issue related to the sorting indicator moving incorrectly when adding a column was fixed. You can find implementation details in the PR description.

List of fixed issues:

• Fixed an issue where the container was not updated after trimming rows. (#7241)
• Fixed an issue where the htmlToGridSettings helper threw an error if a  <table> with no rows was passed. (#7311)
• Fixed an issue where the sorting indicator moved incorrectly when a column was added. (#6397)
• Fixed an issue where untrimming previously trimmed rows would sometimes result in the table instance not refreshing its height, leaving the row headers improperly rendered. (#6276)
• Fixed an issue where the hidden columns plugin caused unintended scrolling when some cells were hidden. (#7322)
• Fixed an issue where an error was thrown while hovering over row/column headers. (#6926)
• Fixed an issue where table validation caused incorrect data rendering if the hidden rows/column plugin was enabled. (#7301)
• Fixed an issue where adding 0 rows to the table ended with doubled entries in index mappers’ collections. (#7326)
• Fixed a problem with the inconsistent behavior of the Context Menu’s “Clear column” disabled status. (#7003)
• Fixed an issue with parsing multiline cells on pasting text/html mime-type. (#7369)