Another take on the ampersand saga.

Another take on the ampersand saga.

tangerinetangerine Posts: 2,769Questions: 22Answers: 323

Hi Allan.
I was looking for a htmLawed config option which would allow ampersands without neutralizing them. Either there isn't one or I'm not bright enough to understand them.
But I thought it might be useful to have your Htmlaw wrapper class look for an external config file before using its own built-in config array. That way, smarter developers than me need not fear upgrades.
Just a thought.

Replies

  • allanallan Posts: 52,641Questions: 1Answers: 8,053 Site admin

    I don't see an option for that either I'm afraid. One option is to use a DOM parsing library such as HTMLPurifier which should handle this sort of thing much better. The downside is that it is fairly massive, which is why I didn't include it with Editor by default.

    The correct thing to do is really to disable XSS protection in Editor write and only do the protection when displaying in the table. I toying with the idea of making that change for v2 of DT and Editor, but I think it will cause a lot of heartache if DataTables does HTML escaping by default in v2. It does feel like the right thing to do though.

    Allan

This discussion has been closed.