render.text but allow simple HTML

silkspin

I import a CSV which includes some simple HTML formatting and elements like bullet lists. The render option below escapes all code, but I wanted to know if there is a way to exclude just <script> tags for example, which would be more prone to XSS attacks than some of the more basic tags?

{
    data: 'product',
    render: $.fn.dataTable.render.text()
}

kthorngren

AFAIK there is nothing built in for this. You can create your own custom renderer or use columns.render to remove the tags you want.

Kevin

silkspin

Thanks @kthorngren. I've decided just to escape everything with $.fn.dataTable.render.text() because realistically I'd need to strip out other js events that could also be in the data feed.

silkspin

I've been trying ways of safely rendering HTML, but still being able to add line breaks to data in cells. I thought I might be able to escape all HTML but then replace a character after using render to add <br> tags. Is there any way I can achieve this?

{
  targets: "_all",
  render: $.fn.dataTable.render.text(),
},
{
  targets : 1,
  render: function (data, type, row ) {
    data_replace = data.replace(/ /g, '<br><br>');
    return data_replace;
  }
},

kthorngren

You won't be able to define multiple renderers for the same column. I suspect that if you add a console.log statement to the render function you will find that it doesn't run. If you comment out line 3 then you will see the render function executes.

But it looks like you can do something like this using the .display() method to combine the two:
http://live.datatables.net/xuqirapu/1/edit

Kevin

silkspin

Hi Kevin. I thought I might've been able to apply XSS prevention to all columns and then target just the one column afterwards that needed the character replacements. Your solution is perfect. I have put <script> tags in the feed and they are escaped as expected so all is fine now. Thanks for your help.