How should HTML character entities be escaped when rendering from an AJAX request?

How should HTML character entities be escaped when rendering from an AJAX request?

snufflingbadgersnufflingbadger Posts: 1Questions: 1Answers: 0

For example, if I have the following JSON response:

{"data": [["<b>test</b>&amp;"]]}

How do I render that as a literal (not HTML) within a column?

By default, tags are not escaped, so the "test" text renders in bold (not what I want). If I use the text helper render function, the <b> tags are escaped, but the &amp; is not, i.e. it appears as <b>test</b>& (not what I want). How do I render the text within the column as the literal string <b>test</b>&amp;?

Thanks in advance.

Answers

  • allanallan Posts: 53,082Questions: 1Answers: 8,177 Site admin

    Thank you for the details! I've just committed a fix for this and the nightly will be up to date with the change in about 10 minutes (from the time of posting - 09.30 UTC).

    Allan

  • dynasoftdynasoft Posts: 357Questions: 57Answers: 3

    Hi
    I get an error when writing char's such as single quote in an editor form which your app saves as encoded html in the db:

    wwwwwwww'wwwww

    becomes in the db:

    wwwwwwww&#39;wwwww

    I can add or modify the data on the form but deleting throws:

    System.Web.HttpRequestValidationException
    HResult=0x80004005
    Message=A potentially dangerous Request.Form value was detected from the client (data[row_1][NotesBody]="wwwwwwww'wwwww").
    Source=DataTables-Editor-Server
    StackTrace:
    at DataTables.Editor.Process(NameValueCollection data) in /home/vagrant/DataTablesSrc/extensions/Editor-NET/DataTables-Editor-Server/Editor.cs:line 910

    This exception was originally thrown at this call stack:
    [External Code]
    DataTables.Editor.Process(System.Collections.Specialized.NameValueCollection) in Editor.cs

    I use the refs outlined on https://datatables.net/forums/discussion/comment/169338 and tried the updates under DataTables on https://datatables.net/download/nightly but same error occurs. Please advise.

  • allanallan Posts: 53,082Questions: 1Answers: 8,177 Site admin

    The Microsoft XSS protection is really aggressive, escaping almost everything. Add .Xss(false) to the fields to stop it from doing that escaping.

    Note that if this is a public facing site though, you should use DataTables' text renderer to prevent potential XSS attacks.

    Allan

  • dynasoftdynasoft Posts: 357Questions: 57Answers: 3

    I'd like to save the data in db as non encoded strings and returned to DT appropriately (as encoded if required just as long as they render as plain text in a browser window). How can this be achieved?

  • dynasoftdynasoft Posts: 357Questions: 57Answers: 3

    Why do I get this error only when deleting and not when saving or modifying?
    I stll get the error with the renderer code

  • dynasoftdynasoft Posts: 357Questions: 57Answers: 3

    Using the Xss method works. Thanks.

  • dynasoftdynasoft Posts: 357Questions: 57Answers: 3

    If it's safer to use the renderer, I'd still prefer to do so but need a solution for the deletion of records

  • dynasoftdynasoft Posts: 357Questions: 57Answers: 3

    Hi, Would you have news on this please?

  • allanallan Posts: 53,082Questions: 1Answers: 8,177 Site admin

    Are you using .NETFramework? If so, use Process(request.Unvalidated) rather than Process(request).

    Allan

  • mdesmondmdesmond Posts: 2Questions: 0Answers: 0

    Hi, I am also having an issue with HTML rendering while using SearchPanes. I have data that contains less than symbols (<) such as "Serial Number<<Compare<<Convert<<Main" which ends up being displayed properly in both the datatable and the SearchPane when I use the option $.fn.dataTable.render.text(). However, when I go to select this option from the SearchPane to filter the datatable, it does not find the matching records. Any help is appreciated!

  • allanallan Posts: 53,082Questions: 1Answers: 8,177 Site admin

    Could you try the nightly of SearchPanes which I believe should resolve this. I'll ask Sandy to take a look tomorrow when he is back in as well.

    Allan

  • mdesmondmdesmond Posts: 2Questions: 0Answers: 0

    Hi Allan, thanks for getting back so quickly. I have tried both the nightly build and the latest stable build and neither resolve this issue.

    Thanks

  • sandysandy Posts: 436Questions: 0Answers: 121

    Hi @mdesmond ,

    We did push a fix for something very similar to the in the nightly builds within the last couple of weeks. Are you sure that you are getting the latest version of the nightly builds? It might be worth adding ?aslfkbgalfbglaub to the end of the url just to make sure that you are breaking the cache.

    This is the post where the fix was made, there are some examples in there as well that would be worth looking at as wekk.

    If that doesn't work could you link to a test case please? Information on how to create a test case (if you aren't able to link to the page you are working on) is available here, or you could edit one of the examples in the other post.

    Thanks,
    Sandy

Sign In or Register to comment.