Prevent XSS Vulnerability on JSON file (Ajax data source (objects))

Alex67000 · November 2022

My JSON file is generated by a form where everyone can inject HTML or Javascript.

Then it's read by Datatables.

How do I prevent Datatables, to output HTML and JS in the table after reading the JSON file (objects.json)?

    $(document).ready(function () {
    var table = $('#lfg').DataTable({
        ajax: 'objects.json',
    // ...

Alex67000 · November 2022

Answer:
echo htmlspecialchars( json_encode($result), ENT_NOQUOTES );

allan · November 2022

That's a good option. The other is to use the text renderer built into DataTables.

Allan

Alex67000 · November 2022

Thank you allan.

How do I render: DataTable.render.text() on Child Rows?

It seems that It doens't work with Child Rows.

See the screencapture:

https://i.gyazo.com/2b1b03a724da62268a89cb7e48708671.png
https://i.gyazo.com/4b16a8cd4b786a00651089a34670962c.png

allan · November 2022

No - the child row display is under your control, not DataTables. You could use DataTable.render.text().display('my string to escape') or perhaps jQuery's text() method or textContent if you are doing it with DOM methods.

Allan

Alex67000 · November 2022

Thank you allan!

Prevent XSS Vulnerability on JSON file (Ajax data source (objects))

Prevent XSS Vulnerability on JSON file (Ajax data source (objects))

Replies

Howdy, Stranger!

Categories

DataTables

Prevent XSS Vulnerability on JSON file (Ajax data source (objects))

Prevent XSS Vulnerability on JSON file (Ajax data source (objects))

Replies

Howdy, Stranger!

Quick Links

Categories

DataTables