JavaScript

The JavaScript Calendar component includes built-in cross-site scripting (XSS) protection.

The XSS protection is enabled by default (xssProtection property is set to "Enabled").

When enabled, the text strings specified using the API (i.e. supplied by the developer/user and not auto-generated) are HTML-encoded.

Even with XSS protection enabled, you can still define your own HTML - just use *html* instead of *text* (or similar) properties.

Protected Strings

  • event text (events.list[].text)

  • column name (columns[].name)

  • upper-left corner text (cornerText)

  • message text (message(text) method)

  • loading label text (loadingLabelText)

  • event text provided by the user during inline event editing

Always Protected

The following strings are always escaped, regardless of the xssProtection value:

On-Output XSS Protection

All escaping takes place during rendering. The strings provided by the user using interactive controls (e.g. inline editing) are passed to the event handlers in raw form.

Raw HTML

All API elements that include "html" in their name (e.g. cornerHtml, events.list[].html, onBeforeEventRender/args.data.html) are applied without escaping.