Editor using Ascii to save single quote to sql db - Select list shows ascii
Editor using Ascii to save single quote to sql db - Select list shows ascii
OtherJason
Posts: 5Questions: 1Answers: 0
I am using .Net, Datatables 1.10.18 and editor 1.9.0 with inline editing.
When a user edits a string field to use an apostrophe (single quote). The data is being stored in the sql table as ascii "'"
For example if the user updated "Freds"to "Fred's" the table shows "Fred's". Datatables has no issue returning that so it looks like "Fred's". However, other places in the application using querying the data for example to load a select list actually show the ascii in the string - "Fred's"
Most of the prior data I see has the single quote saved to the db table directly with no ascii or escape character. How can I rectify this between the two different ways of handling this?
Replies
Sorry, this is what is being stored in the db and shown when using select lists instead of the single quote.
"
Thanks - I've edited the post to add code backticks, which will then render out the HTML entities.
My guess is that you are using the .NET libraries for Editor? What you are seeing is an artefact of the XSS protection. In the .NET libraries we use the Microsoft AntiXSS library which is somewhat overprotective imho.
To disable per field, use:
And if my assumption is correct, the characters will no longer be encoded as HTML entities on the database.
Allan
Whew, this works. Thank you a ton Allan.
Does disabling this then leave the field completely unprotected or are there other protections built in?
It depends a little bit on what your user access is for entering data. If an untrusted person is able to insert data, then yes, there is XSS potential there.
Have a look at this section of the Editor security manual for more details.
Using the DataTables text renderer might be best for you - but it really depends on your use case? If you are able to describe it, I might be able to offer some advice.
Regards,
Allan