Since version 2020.4.4701, the Scheduler includes built-in cross-site scripting (XSS) protection.
The XSS protection is enabled by default (xssProtection property is set to "Enabled").
When enabled, the text strings specified using the API (i.e. supplied by the developer/user and not auto-generated) are HTML-encoded.
Even with XSS protection enabled, you can still define your own HTML - just use
*html* instead of
*text* (or similar) properties.
event text (
event version text (
resource name (
resource column names (
resource column values (
resourcesproperties specified using
upper-left corner text (
message text (
loading label text (
row name provided by the user during inline row editing
row name provided by the user when creating a new row
event text provided by the user during inline event editing
Property aliases (such as
rowHeaderColumns.title) are escaped as well.
The following strings are always escaped, regardless of the
DayPilot.Area.text(see DayPilot.Area properties)
Event text set using DayPilot.Event.text() method
On-Output XSS Protection
All escaping takes place during rendering. The strings provided by the user using interactive controls (e.g. inline editing) are passed to the event handlers in raw form.
All API elements that include "html" in their name (e.g.
args.data.html) are applied without escaping.