Another take on the ampersand saga.
Another take on the ampersand saga.
tangerine
Posts: 3,350Questions: 37Answers: 394
Hi Allan.
I was looking for a htmLawed config option which would allow ampersands without neutralizing them. Either there isn't one or I'm not bright enough to understand them.
But I thought it might be useful to have your Htmlaw wrapper class look for an external config file before using its own built-in config array. That way, smarter developers than me need not fear upgrades.
Just a thought.
This discussion has been closed.
Replies
I don't see an option for that either I'm afraid. One option is to use a DOM parsing library such as HTMLPurifier which should handle this sort of thing much better. The downside is that it is fairly massive, which is why I didn't include it with Editor by default.
The correct thing to do is really to disable XSS protection in Editor write and only do the protection when displaying in the table. I toying with the idea of making that change for v2 of DT and Editor, but I think it will cause a lot of heartache if DataTables does HTML escaping by default in v2. It does feel like the right thing to do though.
Allan