Do you think that columnDefs from defaults should be merged with columnDefs from init options?

szmalec

Hello.

I am using DataTables v1.10.12 in my web app and I have used solution from https://github.com/DataTables/DataTables/issues/497#issuecomment-199400703 - so I have global code executed on init:

$.extend(true, $.fn.dataTable.defaults, { column: { render: $.fn.dataTable.render.text() } });

thanks to it my default renderer is text() so I have no problem with XSS.

For some colums I still need to have possibility to render html so I could pass render: null in $('#xxx').DataTable({ ... columns: [ ...] ...}). It would be OK but I have few places in app when columns are defined using HTML markup (th tag) and there is no columns property in init options when calling DataTable constructor. So to enable html content for some columns I modified my global code with datatables defaults to something like this (idea taken from https://datatables.net/forums/discussion/21164/disable-sorting-of-one-column:

$.extend(true, $.fn.dataTable.defaults, {
            column: {
                render: $.fn.dataTable.render.text()
            },
            columnDefs: [
                { targets: 'dt-no-default-render', render: null, },
                { targets: 'dt-no-sort', orderable: false, }
            ],
        });

and I have modified HTML markup to look like this:

<th class="dt-no-default-render dt-no-sort">Action</th>

It is also OK and works properly BUT in some places following code is present:

$("#tab").DataTable({ 
...
columnDefs: [{ ... }],
...
});

and it looks that my default opitions for columnDefs are NOT used - datatables uses only columnDefs from init options...

Some kind of workaround is following code:

$("#tab").DataTable({ 
...
columnDefs: [{ ... }].concat($.fn.dataTable.defaults.columnDefs),
...
});

but don't you think that columnDefs from init options should be extended with columnDefs from defaults?

Is any other idea how to provide global anti-XSS solution when displaying data in datatables? Should I always use columns with explicite render property in datatables init options?

allan

I've just tried putting together a little test case and it looks like columnDefs can be used to override a default set for a column property: http://live.datatables.net/yoyovuse/1/edit .

I've used title there to try and keep things simple and obvious.

If you are able to modify it to show the issue I'll hopefully be able to make any required changes.

Allan

rstheo

Check this modification out to see the issue:
http://live.datatables.net/yoyovuse/7/edit?html,css,js,output