How should HTML character entities be escaped when rendering from an AJAX request?

How should HTML character entities be escaped when rendering from an AJAX request?

snufflingbadgersnufflingbadger Posts: 1Questions: 1Answers: 0

For example, if I have the following JSON response:

{"data": [["<b>test</b>&amp;"]]}

How do I render that as a literal (not HTML) within a column?

By default, tags are not escaped, so the "test" text renders in bold (not what I want). If I use the text helper render function, the <b> tags are escaped, but the &amp; is not, i.e. it appears as <b>test</b>& (not what I want). How do I render the text within the column as the literal string <b>test</b>&amp;?

Thanks in advance.

Answers

  • allanallan Posts: 63,760Questions: 1Answers: 10,510 Site admin

    Thank you for the details! I've just committed a fix for this and the nightly will be up to date with the change in about 10 minutes (from the time of posting - 09.30 UTC).

    Allan

  • dynasoftdynasoft Posts: 446Questions: 69Answers: 3

    Hi
    I get an error when writing char's such as single quote in an editor form which your app saves as encoded html in the db:

    wwwwwwww'wwwww

    becomes in the db:

    wwwwwwww&#39;wwwww

    I can add or modify the data on the form but deleting throws:

    System.Web.HttpRequestValidationException
    HResult=0x80004005
    Message=A potentially dangerous Request.Form value was detected from the client (data[row_1][NotesBody]="wwwwwwww'wwwww").
    Source=DataTables-Editor-Server
    StackTrace:
    at DataTables.Editor.Process(NameValueCollection data) in /home/vagrant/DataTablesSrc/extensions/Editor-NET/DataTables-Editor-Server/Editor.cs:line 910

    This exception was originally thrown at this call stack:
    [External Code]
    DataTables.Editor.Process(System.Collections.Specialized.NameValueCollection) in Editor.cs

    I use the refs outlined on https://datatables.net/forums/discussion/comment/169338 and tried the updates under DataTables on https://datatables.net/download/nightly but same error occurs. Please advise.

  • allanallan Posts: 63,760Questions: 1Answers: 10,510 Site admin

    The Microsoft XSS protection is really aggressive, escaping almost everything. Add .Xss(false) to the fields to stop it from doing that escaping.

    Note that if this is a public facing site though, you should use DataTables' text renderer to prevent potential XSS attacks.

    Allan

  • dynasoftdynasoft Posts: 446Questions: 69Answers: 3

    I'd like to save the data in db as non encoded strings and returned to DT appropriately (as encoded if required just as long as they render as plain text in a browser window). How can this be achieved?

  • dynasoftdynasoft Posts: 446Questions: 69Answers: 3

    Why do I get this error only when deleting and not when saving or modifying?
    I stll get the error with the renderer code

  • dynasoftdynasoft Posts: 446Questions: 69Answers: 3

    Using the Xss method works. Thanks.

  • dynasoftdynasoft Posts: 446Questions: 69Answers: 3

    If it's safer to use the renderer, I'd still prefer to do so but need a solution for the deletion of records

  • dynasoftdynasoft Posts: 446Questions: 69Answers: 3

    Hi, Would you have news on this please?

  • allanallan Posts: 63,760Questions: 1Answers: 10,510 Site admin

    Are you using .NETFramework? If so, use Process(request.Unvalidated) rather than Process(request).

    Allan

  • mdesmondmdesmond Posts: 12Questions: 1Answers: 0

    Hi, I am also having an issue with HTML rendering while using SearchPanes. I have data that contains less than symbols (<) such as "Serial Number<<Compare<<Convert<<Main" which ends up being displayed properly in both the datatable and the SearchPane when I use the option $.fn.dataTable.render.text(). However, when I go to select this option from the SearchPane to filter the datatable, it does not find the matching records. Any help is appreciated!

  • allanallan Posts: 63,760Questions: 1Answers: 10,510 Site admin

    Could you try the nightly of SearchPanes which I believe should resolve this. I'll ask Sandy to take a look tomorrow when he is back in as well.

    Allan

  • mdesmondmdesmond Posts: 12Questions: 1Answers: 0

    Hi Allan, thanks for getting back so quickly. I have tried both the nightly build and the latest stable build and neither resolve this issue.

    Thanks

  • sandysandy Posts: 913Questions: 0Answers: 236

    Hi @mdesmond ,

    We did push a fix for something very similar to the in the nightly builds within the last couple of weeks. Are you sure that you are getting the latest version of the nightly builds? It might be worth adding ?aslfkbgalfbglaub to the end of the url just to make sure that you are breaking the cache.

    This is the post where the fix was made, there are some examples in there as well that would be worth looking at as wekk.

    If that doesn't work could you link to a test case please? Information on how to create a test case (if you aren't able to link to the page you are working on) is available here, or you could edit one of the examples in the other post.

    Thanks,
    Sandy

  • mdesmondmdesmond Posts: 12Questions: 1Answers: 0

    Hi Sandy,

    Here is a link to a test case using the nightly builds: http://live.datatables.net/lovupalu/1/. It appears the problem occurs when there are two or more adjacent less than symbols in a line of text.

    Thank you!
    Mike

  • colincolin Posts: 15,240Questions: 1Answers: 2,599

    Yep, I'm seeing it here too. I've raised it internally (DD-1830 for my reference) and we'll report back here when there's an update.

    Cheers,

    Colin

  • mdesmondmdesmond Posts: 12Questions: 1Answers: 0

    Hi Colin,

    Thank you for working on resolving this issue. Just checking in to see if you have any updates.

    Thanks

  • colincolin Posts: 15,240Questions: 1Answers: 2,599

    This has actually been closed a couple of weeks ago - apologies, we forgot to update the forum thread. A release hasn't been made to include it yet, that should happen in the next couple of weeks, but the nightly releases here contain the fixes.

    Colin

  • mdesmondmdesmond Posts: 12Questions: 1Answers: 0

    Thank you so much @colin !!!!

  • mdesmondmdesmond Posts: 12Questions: 1Answers: 0

    Hi Colin,

    Sorry to open this thread back up, but unfortunately I am still seeing this issue but with quotation marks this time. Here is a link to a fresh test case using the nightly builds: live.datatables.net/xegetehi/1/edit?html,js,output

    Thank you.

  • colincolin Posts: 15,240Questions: 1Answers: 2,599

    Sorry about that, when I re-test I'll go through a few characters. I've re-opened the same case (DD-1830) and we'll report back here when there's progress (probably Friday),

    Colin

  • sandysandy Posts: 913Questions: 0Answers: 236

    Hi @mdesmond ,

    That should be the issue fixed now as you can see at this example. This will be available in the next SearchPanes release which we hope will be in the next few weeks. Until then you can access the fix from the nightly builds.

    Thanks,
    Sandy

  • mdesmondmdesmond Posts: 12Questions: 1Answers: 0

    Thank you @sandy! I can confirm it works as expected. Looking forward to the next release.

  • mdesmondmdesmond Posts: 12Questions: 1Answers: 0

    Hi All,

    I have updated to the latest builds and the text rendering seems to be much improved, although I am now seeing a new issue with the SearchPanes. It seems that when I have one filter already applied and then go to select another filter which contains a special character (the less than symbol '<' in particular), the special-character filter item gets duplicated within the SearchPane. One of the duplicates becomes selected, and will show that there are zero matching records even though there are 1+. The other duplicate is not selectable, but shows the correct amount of matching records.

    Here is a demo using the nightly builds (issue is the same with latest release too):
    live.datatables.net/nutugufe/1/

    If you select the 'Failed' filter, and then select one of the filters within the 'CAUSE' filter, you will see the issue.

    It does end up filtering the data properly, the appearance is just messed up within the SearchPane.

  • sandysandy Posts: 913Questions: 0Answers: 236

    Hi @mdesmond ,

    Thanks for pointing this out and for the test case. Something isn't right there. I've raised an issue internally (DD-2349 for my reference). I've made a fix for this as you can see at this example.

    This will be available in the next SearchPanes release which we hope will be in the next few weeks. Until then you can access the fix from the nightly builds.

    Thanks,
    Sandy

This discussion has been closed.