Datatables HTML encodes
I have used jQuery Datatables in my Laravel web apps. I used packagist chumper/datatable
to handle the Datatables server.
Unfortunately I discovered a major security issue, i.e. XSS (Cross Site Scripting). The server returns JSON data, and the client loads the data into the table without unloading it.
How can I get the Client to escape the data before loading it into the table?
source to share
fnCreatedRow
is a callback function to control a table row item after the row is created. We can use this callback function to change the line before the line is inserted into the HTML document.
I used chumper/datatable
to create this function:
$table = Datatable::table()
->addColumn('ID', 'Username', 'Name', 'Email', 'Actions')
->setUrl(URL::to('admin/users/data'))
->setOptions(array('aoColumns' => array(array('sType' => 'numeric'), null, null, null, array('bSortable' => false))))
->setCallbacks('fnCreatedRow',
'function(nRow, aData, iDisplayIndex, iDisplayIndexFull) {
for (var i = 1; i < 4; i++) jQuery("td:eq(" + i + ")", nRow).text(aData[i]);
}'
)
->noScript();
return View::make('admin.users.index', compact('table'));
I used fnCreatedRow
to change the content of each element td
so that the elements td
display the data as text (HTML encoded).
source to share