-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HTML tag Issue #19
Comments
Fixed. Thanks @kimwz, your comments are very welcome! |
@gatesh says: This change has broken my ability to put selects, like the following, in a cell: select id= "western_coastal" name="Western Coastal Region"> Now the code above shows up in the cell, instead of the select dropdown. |
@gatesh - I just submitted a change that allows you to use HTML in setDataAtCell. Use it like this:
Can you confirm if it works for you that way? |
I'm using $("#dataTable").handsontable("loadData", dataFormatted); I have to do a LOT of processing on the backend to get dataFormatted. While the updated setDataAtCell does work, I'd really rather not call it after already calling loadData. I'm curious: why do you need to escape HTML characters at all in the td? In any case, perhaps you could have an allowHTML flag for loadData as well? Thanks! |
I forgot about "loadData". I will add allowHtml param there as well. That is something that @kimwz pointed out. Before today's change you were able to manually type something to a table cell to insert bold text there. This is potentially a serious XSS threat because it allows someone to add hidden code or script into the array. Any security manual tells to escape user input to avoid XSS threats and I am ashamed that didn't notice that earlier. Of course, there are justified cases when HTML should be allowed (especially when it is generated input, not user input). For those cases, allowHtml param in 'setDataAtCell' and 'loadData' will be enough. |
I added allowHtml param to loadData. Please give it a try @gatesh. Thanks! |
I am now calling using: $("#dataTable").handsontable("loadData", dataFormatted, true); The html, however, is still escaped. |
[Shift + Enter] , new line in text does not work |
Thanks again, @kimwz. Fixed now |
HTML tag is working
I think you have to add the code about encoding
The text was updated successfully, but these errors were encountered: