Special Characters
Special Characters
Hello,
I noticed that html special characters such as < are not being encoded to their ASCII or Unicode form before being written to the innerHTML property of the table cell. I've updated my own code but would like to submit the changes to this forum for others.
Within the function _fnAddData change the 41st line from:
nTd.innerHTML = aData[i];
to:
$(nTd).html(_htmlspecialchars(aData[i]));
Within the function list (after the closing brace of _fnAddData perhaps), you could add the code from php.js (http://kevin.vanzonneveld.net) which emulates the PHP htmlspecialchars function. You can find the code here: http://phpjs.org/functions/htmlspecialchars:426
I named the function _htmlspecialchars to follow the naming convention for dataTables, but you don't need to rename it. I also updated the code to no longer use innerHTML as that doesn't update the DOM properly on all browsers. JQuery's $.html() function has appropriate methods to update the DOM.
Best Regards!
I noticed that html special characters such as < are not being encoded to their ASCII or Unicode form before being written to the innerHTML property of the table cell. I've updated my own code but would like to submit the changes to this forum for others.
Within the function _fnAddData change the 41st line from:
nTd.innerHTML = aData[i];
to:
$(nTd).html(_htmlspecialchars(aData[i]));
Within the function list (after the closing brace of _fnAddData perhaps), you could add the code from php.js (http://kevin.vanzonneveld.net) which emulates the PHP htmlspecialchars function. You can find the code here: http://phpjs.org/functions/htmlspecialchars:426
I named the function _htmlspecialchars to follow the naming convention for dataTables, but you don't need to rename it. I also updated the code to no longer use innerHTML as that doesn't update the DOM properly on all browsers. JQuery's $.html() function has appropriate methods to update the DOM.
Best Regards!
This discussion has been closed.
Replies
Thanks for this - I'm sure I'll be linking to this post in future!
The trick here is that it's actually quite useful to be able to inject HTML into the table - bolding a word in a string for example, or adding a span for easy event handling. So what I've done is to leave it up to the developer to escape characters if they wish, or to inject HTML as needed. Everyone is a winner :-)
Regards,
Allan