Editor - Allow certain special character like '&' when using the xss validator

Editor - Allow certain special character like '&' when using the xss validator

CapamaniaCapamania Posts: 233Questions: 81Answers: 5

Hi Everyone! When using 'Validate::xss' ... is it possible to allow certain characters that are by default not allowed?

Like e.g. when using 'Validate::xss' ... special character like '&' is not allowed. But I would like to use 'Validate::xss' and allow '&' ...

        Field::inst( 'opportunities.description' )
            ->validator( 'Validate::notEmpty' )
            ->validator( 'Validate::xss' ),

Is this possible? Many thanks

Answers

  • allanallan Posts: 63,516Questions: 1Answers: 10,472 Site admin

    I think you would need to replace the default XSS filter with something like HTMLPurifier.

    Allan

  • CapamaniaCapamania Posts: 233Questions: 81Answers: 5
    edited September 2017

    Or should I use the noTags validator instead when I want to allow '&' and still secure the input? Would that be also fairly save against attacks?

    ... unfortunately I have no clue how I would need to integrate the HTMLPurifier in DataTables ...

  • allanallan Posts: 63,516Questions: 1Answers: 10,472 Site admin

    You'd need to replace the XSS formatter regardless of whatever validation is used. You can do so by passing the HTMLPurifier function into the Field's xss method. Basically it just needs a function that can be called to do the security formatting needed.

    Another option is to disable XSS completely and then use a formatter on the client-side when displaying the table, as discussed here.

    Allan

This discussion has been closed.