Answers

• kthorngren Posts: 21,173Questions: 26Answers: 4,923

  April 2021

  AFAIK there is nothing built in for this. You can create your own custom renderer or use columns.render to remove the tags you want.

  Kevin
• silkspin Posts: 152Questions: 34Answers: 5

  April 2021

  Thanks @kthorngren. I've decided just to escape everything with $.fn.dataTable.render.text() because realistically I'd need to strip out other js events that could also be in the data feed.
• silkspin Posts: 152Questions: 34Answers: 5

  June 2021

  I've been trying ways of safely rendering HTML, but still being able to add line breaks to data in cells. I thought I might be able to escape all HTML but then replace a character after using render to add <br> tags. Is there any way I can achieve this?

  {
    targets: "_all",
    render: $.fn.dataTable.render.text(),
  },
  {
    targets : 1,
    render: function (data, type, row ) {
      data_replace = data.replace(/ /g, '<br><br>');
      return data_replace;
    }
  },
  
• kthorngren Posts: 21,173Questions: 26Answers: 4,923

  June 2021 Answer ✓

  You won't be able to define multiple renderers for the same column. I suspect that if you add a console.log statement to the render function you will find that it doesn't run. If you comment out line 3 then you will see the render function executes.

  But it looks like you can do something like this using the .display() method to combine the two:
  http://live.datatables.net/xuqirapu/1/edit

  Kevin
• silkspin Posts: 152Questions: 34Answers: 5

  June 2021

  Hi Kevin. I thought I might've been able to apply XSS prevention to all columns and then target just the one column afterwards that needed the character replacements. Your solution is perfect. I have put <script> tags in the feed and they are escaped as expected so all is fine now. Thanks for your help.