Editor - Allow certain special character like '&' when using the xss validator
Editor - Allow certain special character like '&' when using the xss validator
Hi Everyone! When using 'Validate::xss' ... is it possible to allow certain characters that are by default not allowed?
Like e.g. when using 'Validate::xss' ... special character like '&' is not allowed. But I would like to use 'Validate::xss' and allow '&' ...
Field::inst( 'opportunities.description' )
->validator( 'Validate::notEmpty' )
->validator( 'Validate::xss' ),
Is this possible? Many thanks
This discussion has been closed.
Answers
I think you would need to replace the default XSS filter with something like HTMLPurifier.
Allan
Or should I use the noTags validator instead when I want to allow '&' and still secure the input? Would that be also fairly save against attacks?
... unfortunately I have no clue how I would need to integrate the HTMLPurifier in DataTables ...
You'd need to replace the XSS formatter regardless of whatever validation is used. You can do so by passing the HTMLPurifier function into the Field's
xss
method. Basically it just needs a function that can be called to do the security formatting needed.Another option is to disable XSS completely and then use a formatter on the client-side when displaying the table, as discussed here.
Allan