Option for Escaping Output

[sooluh]

Hello @hermawanramadhan

Regarding the pull request and issue brought up by @erikkraijenoord, I'm having trouble with it. I thought this was an error from my script, but after analyzing the error I experienced occurred after I upgraded this package.

Previously I wanted to explain, with datatables I often apply HTML to the last column (that is, the "action" column), where I display several action buttons. However, I recently upgraded this package and all datatables display HTML code (literally HTML code).

Then I checked this repository and yep, there's a pull request where the changes apply escaping data from the resultset.

Maybe we can make an option for that? developer could enforce whether the output will be escaped or not necessary, maybe that setting could be set per-column?

Thanks in advance :3

[hermawanramadhan]

OK. my bad. I've delete release v0.5.5.

[sooluh]

Maybe if I have some free time I'd like to help add an option to escape output or not. Because for security it is still necessary.

Thanks for responding 😁

[hermawanramadhan]

Maybe on future. you must try column rendering using datatables. so you can create "action" column on client side. not placing html tag on server side.

future update maybe it will use escaping on default. (also update example on my document because still using html tag on server side) 😁

if have any free time I will update this library. now currently busy with other thing. (sok sibuk hahaha)😂😂

[erikkraijenoord]

The callback HTML in my case is done within the option render from DataTables itself. I prefer my data to be escaped before putting it on screen to prevent possible XSS attacks.

But an option to exclude a certain column could work i guess.

[hermawanramadhan]

yup, you're right. render option was better. for now I prefer render on client (js). some people still have habit "render" like html "action" on server. even if my old style coding. 😁

[erikkraijenoord]

Thank you for the response, i believe the render option has always been there to convert data into html. This shouldn't be done on the server-side due to possible abuse on this part.

[erikkraijenoord]

@hermawanramadhan
I think i've found a possible solution for @sooluh a few lines above there's a switch/case. I've changed the default with the esc() function, this seems to be working to let other options render the buttons.

So the method should be something like this, not 100% secured but more secure than previous versions.

public function getDataResult()
{
    $queryResult = $this->queryResult();
    $result      = [];

    foreach ($queryResult as $row) 
    {
        $data    = [];
        $columns = $this->columnDefs->getColumns();

        foreach ($columns as $column) 
        {
            switch ($column->type) {
                case 'numbering':
                    $value = $this->columnDefs->getNumbering();
                    break;
                
                case 'add':
                    $callback = $column->callback;
                    $value    = $callback($row);
                    break;
                
                case 'edit':
                    $callback = $column->callback;
                    $value    = $callback($row);
                    break;
                
                case 'format':
                    $callback = $column->callback;
                    $value    = $callback($row->{$column->alias});
                    break;
                
                default:
                    $value = esc($row->{$column->alias}); // Escape output on this line seems to work for me.
                    break;
            }

            if($this->columnDefs->returnAsObject)
                $data[$column->alias] = $value;
            else
                $data[] = $value;
            
        }

        $result[] = $data;
    }

    return $result;
}

/* End Generating result */

[hermawanramadhan]

found another way! this is best solution for now I think! updated on latest version v0.6.1

    public function getDataResult()
    {
        $queryResult = $this->queryResult();
        $result      = [];

        foreach ($queryResult as $row) 
        {
            //escaping all
            foreach($row as $key => $val)
                $row->$key = esc($val);

            $data    = [];
            $columns = $this->columnDefs->getColumns();

            foreach ($columns as $column) 
            {
                switch ($column->type) {
                    case 'numbering':
                        $value = $this->columnDefs->getNumbering();
                        break;
                    
                    case 'add':
                        $callback = $column->callback;
                        $value    = $callback($row);
                        break;
                    
                    case 'edit':
                        $callback = $column->callback;
                        $value    = $callback($row);
                        break;
                    
                    case 'format':
                        $callback = $column->callback;
                        $value    = $callback($row->{$column->alias});
                        break;
                    
                    default:
                        $value = $row->{$column->alias};
                        break;
                }

                if($this->columnDefs->returnAsObject)
                    $data[$column->alias] = $value;
                else
                    $data[] = $value;
                
            }

            $result[] = $data;
        }

        return $result;
    }

    /* End Generating result */