Editor using Ascii to save single quote to sql db - Select list shows ascii

Editor using Ascii to save single quote to sql db - Select list shows ascii

OtherJasonOtherJason Posts: 5Questions: 1Answers: 0
edited February 2022 in Editor

I am using .Net, Datatables 1.10.18 and editor 1.9.0 with inline editing.

When a user edits a string field to use an apostrophe (single quote). The data is being stored in the sql table as ascii "'"
For example if the user updated "Freds"to "Fred's" the table shows "Fred's". Datatables has no issue returning that so it looks like "Fred's". However, other places in the application using querying the data for example to load a select list actually show the ascii in the string - "Fred's"

Most of the prior data I see has the single quote saved to the db table directly with no ascii or escape character. How can I rectify this between the two different ways of handling this?

Replies

  • OtherJasonOtherJason Posts: 5Questions: 1Answers: 0

    Sorry, this is what is being stored in the db and shown when using select lists instead of the single quote.

    "

  • allanallan Posts: 61,446Questions: 1Answers: 10,054 Site admin

    Thanks - I've edited the post to add code backticks, which will then render out the HTML entities.

    My guess is that you are using the .NET libraries for Editor? What you are seeing is an artefact of the XSS protection. In the .NET libraries we use the Microsoft AntiXSS library which is somewhat overprotective imho.

    To disable per field, use:

    new Field("myField")
      .Xss(false)
    

    And if my assumption is correct, the characters will no longer be encoded as HTML entities on the database.

    Allan

  • OtherJasonOtherJason Posts: 5Questions: 1Answers: 0

    Whew, this works. Thank you a ton Allan.

  • OtherJasonOtherJason Posts: 5Questions: 1Answers: 0

    Does disabling this then leave the field completely unprotected or are there other protections built in?

  • allanallan Posts: 61,446Questions: 1Answers: 10,054 Site admin

    It depends a little bit on what your user access is for entering data. If an untrusted person is able to insert data, then yes, there is XSS potential there.

    Have a look at this section of the Editor security manual for more details.

    Using the DataTables text renderer might be best for you - but it really depends on your use case? If you are able to describe it, I might be able to offer some advice.

    Regards,
    Allan

Sign In or Register to comment.