DataTables
Advanced interaction
features for your tables.
Editor
Comprehensive editing
library for DataTables.
Manual
Download
Show site navigation

Editor - Allow certain special character like '&' when using the xss validator

Editor - Allow certain special character like '&' when using the xss validator

CapamaniaCapamania Posts: 229Questions: 79Answers: 5
in Editor

Hi Everyone! When using 'Validate::xss' ... is it possible to allow certain characters that are by default not allowed?

Like e.g. when using 'Validate::xss' ... special character like '&' is not allowed. But I would like to use 'Validate::xss' and allow '&' ...

        Field::inst( 'opportunities.description' )
            ->validator( 'Validate::notEmpty' )
            ->validator( 'Validate::xss' ),

Is this possible? Many thanks

Answers

  • allanallan Posts: 61,946Questions: 1Answers: 10,158 Site admin

    I think you would need to replace the default XSS filter with something like HTMLPurifier.

    Allan

  • CapamaniaCapamania Posts: 229Questions: 79Answers: 5
    edited September 2017

    Or should I use the noTags validator instead when I want to allow '&' and still secure the input? Would that be also fairly save against attacks?

    ... unfortunately I have no clue how I would need to integrate the HTMLPurifier in DataTables ...

  • allanallan Posts: 61,946Questions: 1Answers: 10,158 Site admin

    You'd need to replace the XSS formatter regardless of whatever validation is used. You can do so by passing the HTMLPurifier function into the Field's xss method. Basically it just needs a function that can be called to do the security formatting needed.

    Another option is to disable XSS completely and then use a formatter on the client-side when displaying the table, as discussed here.

    Allan

This discussion has been closed.

DataTables

DataTables designed and created by SpryMedia Ltd.
© 2007-2023 MIT licensed. Privacy policy. Supporters.
SpryMedia Ltd is registered in Scotland, company no. SC456502.