How should HTML character entities be escaped when rendering from an AJAX request?
How should HTML character entities be escaped when rendering from an AJAX request?
snufflingbadger
Posts: 1Questions: 1Answers: 0
For example, if I have the following JSON response:
{"data": [["<b>test</b>&"]]}
How do I render that as a literal (not HTML) within a column?
By default, tags are not escaped, so the "test" text renders in bold (not what I want). If I use the text helper render function, the <b> tags are escaped, but the & is not, i.e. it appears as <b>test</b>& (not what I want). How do I render the text within the column as the literal string <b>test</b>&?
Thanks in advance.
Answers
Thank you for the details! I've just committed a fix for this and the nightly will be up to date with the change in about 10 minutes (from the time of posting - 09.30 UTC).
Allan
Hi
I get an error when writing char's such as single quote in an editor form which your app saves as encoded html in the db:
wwwwwwww'wwwww
becomes in the db:
wwwwwwww'wwwwwI can add or modify the data on the form but deleting throws:
System.Web.HttpRequestValidationException
HResult=0x80004005
Message=A potentially dangerous Request.Form value was detected from the client (data[row_1][NotesBody]="wwwwwwww'wwwww").
Source=DataTables-Editor-Server
StackTrace:
at DataTables.Editor.Process(NameValueCollection data) in /home/vagrant/DataTablesSrc/extensions/Editor-NET/DataTables-Editor-Server/Editor.cs:line 910
This exception was originally thrown at this call stack:
[External Code]
DataTables.Editor.Process(System.Collections.Specialized.NameValueCollection) in Editor.cs
I use the refs outlined on https://datatables.net/forums/discussion/comment/169338 and tried the updates under DataTables on https://datatables.net/download/nightly but same error occurs. Please advise.
The Microsoft XSS protection is really aggressive, escaping almost everything. Add
.Xss(false)to the fields to stop it from doing that escaping.Note that if this is a public facing site though, you should use DataTables' text renderer to prevent potential XSS attacks.
Allan
I'd like to save the data in db as non encoded strings and returned to DT appropriately (as encoded if required just as long as they render as plain text in a browser window). How can this be achieved?
Why do I get this error only when deleting and not when saving or modifying?
I stll get the error with the renderer code
Using the Xss method works. Thanks.
If it's safer to use the renderer, I'd still prefer to do so but need a solution for the deletion of records
Hi, Would you have news on this please?
Are you using .NETFramework? If so, use
Process(request.Unvalidated)rather thanProcess(request).Allan
Hi, I am also having an issue with HTML rendering while using SearchPanes. I have data that contains less than symbols (<) such as "Serial Number<<Compare<<Convert<<Main" which ends up being displayed properly in both the datatable and the SearchPane when I use the option $.fn.dataTable.render.text(). However, when I go to select this option from the SearchPane to filter the datatable, it does not find the matching records. Any help is appreciated!
Could you try the nightly of SearchPanes which I believe should resolve this. I'll ask Sandy to take a look tomorrow when he is back in as well.
Allan
Hi Allan, thanks for getting back so quickly. I have tried both the nightly build and the latest stable build and neither resolve this issue.
Thanks
Hi @mdesmond ,
We did push a fix for something very similar to the in the nightly builds within the last couple of weeks. Are you sure that you are getting the latest version of the nightly builds? It might be worth adding
?aslfkbgalfbglaubto the end of the url just to make sure that you are breaking the cache.This is the post where the fix was made, there are some examples in there as well that would be worth looking at as wekk.
If that doesn't work could you link to a test case please? Information on how to create a test case (if you aren't able to link to the page you are working on) is available here, or you could edit one of the examples in the other post.
Thanks,
Sandy
Hi Sandy,
Here is a link to a test case using the nightly builds: http://live.datatables.net/lovupalu/1/. It appears the problem occurs when there are two or more adjacent less than symbols in a line of text.
Thank you!
Mike
Yep, I'm seeing it here too. I've raised it internally (DD-1830 for my reference) and we'll report back here when there's an update.
Cheers,
Colin
Hi Colin,
Thank you for working on resolving this issue. Just checking in to see if you have any updates.
Thanks
This has actually been closed a couple of weeks ago - apologies, we forgot to update the forum thread. A release hasn't been made to include it yet, that should happen in the next couple of weeks, but the nightly releases here contain the fixes.
Colin
Thank you so much @colin !!!!
Hi Colin,
Sorry to open this thread back up, but unfortunately I am still seeing this issue but with quotation marks this time. Here is a link to a fresh test case using the nightly builds: live.datatables.net/xegetehi/1/edit?html,js,output
Thank you.
Sorry about that, when I re-test I'll go through a few characters. I've re-opened the same case (DD-1830) and we'll report back here when there's progress (probably Friday),
Colin
Hi @mdesmond ,
That should be the issue fixed now as you can see at this example. This will be available in the next SearchPanes release which we hope will be in the next few weeks. Until then you can access the fix from the nightly builds.
Thanks,
Sandy
Thank you @sandy! I can confirm it works as expected. Looking forward to the next release.
Hi All,
I have updated to the latest builds and the text rendering seems to be much improved, although I am now seeing a new issue with the SearchPanes. It seems that when I have one filter already applied and then go to select another filter which contains a special character (the less than symbol '<' in particular), the special-character filter item gets duplicated within the SearchPane. One of the duplicates becomes selected, and will show that there are zero matching records even though there are 1+. The other duplicate is not selectable, but shows the correct amount of matching records.
Here is a demo using the nightly builds (issue is the same with latest release too):
live.datatables.net/nutugufe/1/
If you select the 'Failed' filter, and then select one of the filters within the 'CAUSE' filter, you will see the issue.
It does end up filtering the data properly, the appearance is just messed up within the SearchPane.
Hi @mdesmond ,
Thanks for pointing this out and for the test case. Something isn't right there. I've raised an issue internally (DD-2349 for my reference). I've made a fix for this as you can see at this example.
This will be available in the next SearchPanes release which we hope will be in the next few weeks. Until then you can access the fix from the nightly builds.
Thanks,
Sandy