Datatables HTML encodes

Question

Datatables HTML encodes

I have used jQuery Datatables in my Laravel web apps. I used packagist chumper/datatable

to handle the Datatables server.

Unfortunately I discovered a major security issue, i.e. XSS (Cross Site Scripting). The server returns JSON data, and the client loads the data into the table without unloading it.

How can I get the Client to escape the data before loading it into the table?

+3

jquery datatables

Edward samuel 08 oct. 14 at 16:20

source to share

1 answer

Edward samuel · Accepted Answer · 2014-10-10T03:01:41+0000

fnCreatedRow

is a callback function to control a table row item after the row is created. We can use this callback function to change the line before the line is inserted into the HTML document.

I used chumper/datatable

to create this function:

$table = Datatable::table()
    ->addColumn('ID', 'Username', 'Name', 'Email', 'Actions')
    ->setUrl(URL::to('admin/users/data'))
    ->setOptions(array('aoColumns' => array(array('sType' => 'numeric'), null, null, null, array('bSortable' => false))))
    ->setCallbacks('fnCreatedRow', 
        'function(nRow, aData, iDisplayIndex, iDisplayIndexFull) {
            for (var i = 1; i < 4; i++) jQuery("td:eq(" + i + ")", nRow).text(aData[i]);
        }'
    )
    ->noScript();       
return View::make('admin.users.index', compact('table'));

I used fnCreatedRow

to change the content of each element td

so that the elements td

display the data as text (HTML encoded).

Datatables HTML encodes

More articles: