"&" Vs "&amp";

"&" Vs "&amp";

carrarachristophecarrarachristophe Posts: 109Questions: 25Answers: 2
edited February 2023 in Editor

Hello,

I found many posts regarding encoding but none that could solve my problem.

I have the following issue with special character & only:
1. when I have the character & in my sql table, I see it as & in my datatable
2. but when I edit the same item from the datable, although I still see it as & in my datatable, it stores & in mysql table
3. as a result, for example, in the select fields using this value, I can see & and not &

The table and data are set to utf8mb4_general_ci

I also added utf-8 in the config.php file:

$sql_details = array(
    "type" => "",
    "user" => "",
    "pass" => "",
    "host" => "",
    "port" => "",
    "db"   => "",
    "dsn"  => "charset=utf8"
);

Any idea where it could come from?

Answers

  • allanallan Posts: 63,498Questions: 1Answers: 10,471 Site admin

    It will be from the XSS protection that is enabled by default. Add ->xss(false) to disable the XSS protection for a field, but make sure you use the text renderer to stop potential XSS attacks.

    Allan

  • carrarachristophecarrarachristophe Posts: 109Questions: 25Answers: 2

    Hi Allan,
    Thanks, it works now.
    As for the render, is using something like:

                {data: null, render: function ( data, type, row ) {
                    if (( data.vin_sousvignobles.website ) && ( data.vin_sousvignobles.presentation )) {
                    return type === 'display'? '<div title="' + data.vin_sousvignobles.presentation + '">' + '<a target="_blank" href="'+ data.vin_sousvignobles.website +' ">'+ data.vin_sousvignobles.sousvignoble + '</a>' + '</div>' : '<a target="_blank" href="'+ data.vin_sousvignobles.website +' ">'+ data.vin_sousvignobles.sousvignoble + '</a>';
                    }
                    if ( data.vin_sousvignobles.website ) {
                    return type === 'display'? '<div>' + '<a target="_blank" href="'+ data.vin_sousvignobles.website +' ">'+ data.vin_sousvignobles.sousvignoble + '</a>' + '</div>' : '<a target="_blank" href="'+ data.vin_sousvignobles.website +' ">'+ data.vin_sousvignobles.sousvignoble + '</a>';
                    }
                    if ( data.vin_sousvignobles.presentation ) {
                    return type === 'display'? '<div title="' + data.vin_sousvignobles.presentation + '">' + data.vin_sousvignobles.sousvignoble + '</a>' + '</div>' : data.vin_sousvignobles.sousvignoble + '</a>';
                    }
                    return data.vin_sousvignobles.sousvignoble;
                }},
    
    

    OK?

  • allanallan Posts: 63,498Questions: 1Answers: 10,471 Site admin

    If data such as data.vin_sousvignobles.sousvignoble is input by a potentially untrusted user, you should escape any HTML in it. Otherwise you are open to an XSS attack.

    Allan

  • carrarachristophecarrarachristophe Posts: 109Questions: 25Answers: 2

    Hi Allan,

    Do you suggest that I should follow this?

    If so, how can I apply it to, for example:

    return data.vin_sousvignobles.sousvignoble;
    

    Unless I should apply it to the editor part? I must say that I am lost on that.

  • allanallan Posts: 63,498Questions: 1Answers: 10,471 Site admin

    You could use:

    let escaped = DataTable.render.text().display(data.vin_sousvignobles.sousvignoble);
    

    to escape the HTML characters. Then use that resulting string in your return statement.

    Allan

Sign In or Register to comment.