JavaScript
The JavaScript Calendar component includes built-in cross-site scripting (XSS) protection.
The XSS protection is enabled by default (xssProtection property is set to "Enabled").
When enabled, the text strings specified using the API (i.e. supplied by the developer/user and not auto-generated) are HTML-encoded.
Even with XSS protection enabled, you can still define your own HTML - just use *html* instead of *text* (or similar) properties.
Protected Strings
-
event text (
events.list[].text) -
column name (
columns[].name) -
upper-left corner text (
cornerText) -
message text (
message(text)method) -
loading label text (
loadingLabelText) -
event text provided by the user during inline event editing
Always Protected
The following strings are always escaped, regardless of the xssProtection value:
-
DayPilot.Area.text(see DayPilot.Area properties) -
Event text set using DayPilot.Event.text() method
On-Output XSS Protection
All escaping takes place during rendering. The strings provided by the user using interactive controls (e.g. inline editing) are passed to the event handlers in raw form.
Raw HTML
All API elements that include "html" in their name (e.g. cornerHtml, events.list[].html, onBeforeEventRender/args.data.html) are applied without escaping.