Reputation: 3968
Datatables encode HTML
I have used jQuery Datatables on my Laravel web apps. I have used packagist chumper/datatable to handle Datatables server processing.
Unfortunately, I found serious security problem, i.e. XSS (cross-site scripting). Server returns JSON data and Client loads the data to table without escaping them.
How can I get Client to escape the data before loading them into the table?
Upvotes: 3
Views: 3812
Answers (1)
Reputation: 3968
fnCreatedRow is a callback function for manipulating table row element after the row has been created. We can used this callback function to modify the row before the row will be inserted to HTML document.
I used chumper/datatable to generate this function:
$table = Datatable::table()
->addColumn('ID', 'Username', 'Name', 'Email', 'Actions')
->setUrl(URL::to('admin/users/data'))
->setOptions(array('aoColumns' => array(array('sType' => 'numeric'), null, null, null, array('bSortable' => false))))
->setCallbacks('fnCreatedRow',
'function(nRow, aData, iDisplayIndex, iDisplayIndexFull) {
for (var i = 1; i < 4; i++) jQuery("td:eq(" + i + ")", nRow).text(aData[i]);
}'
)
->noScript();
return View::make('admin.users.index', compact('table'));
I used fnCreatedRow to modify the content of each td elements so the td elements display the data as text (HTML encoded).
Upvotes: 2
Related Questions
- jQuery Datatables show html content
- Special char jquery
- jQuery DataTables - Handling special characters
- DataTables JSON Api escape content
- jQuery DataTables CSV export utf-8
- jQuery Datatables is returning html
- Datatable Jquery special character encoding and decoding to HTML
- Escape markup in JSON-driven jQuery datatable?
- jQuery Datatable with PHP json_encode
- Coverting jquery DOM to html