sqlalchemy-datatables
sqlalchemy-datatables copied to clipboard
Escape results before output
Ability to escape data before output, to prevent JS/HTML injections.
@vsevolod-kolchinsky Could you please provide an example?
@vsevolod-kolchinsky Sorry for missing this PR. Can you provide an example of the injection? As far as I am aware all results shuld be returned as json adn thus not susceptible. Please let me know if I am wrong abut this
The simplest case would be the following: given some database table with rows containing raw HTML with Javascript, which you don't want to be executed when Datatable renders.
from datatables import DataTables
from flask import escape
[...]
table = DataTables(params, query, columns, escape=escape)