Since version 2020.4.4701, the Scheduler includes built-in cross-site scripting (XSS) protection.
The XSS protection is enabled by default (xssProtection property is set to "Enabled").
When enabled, the text strings specified using the API (i.e. supplied by the developer/user and not auto-generated) are HTML-encoded.
Even with XSS protection enabled, you can still define your own HTML - just use *html* instead of *text* (or similar) properties.
- event text (events.list.text)
- event version text (events.list.versions.text)
- resource name (resources.name)
- resource column names (rowHeaderColumns.text)
- resource column values (resources properties specified using rowHeaderColumns.display)
- upper-left corner text (cornerText)
- message text (message(text) method)
- loading label text (loadingLabelText)
- row name provided by the user during inline row editing
- row name provided by the user when creating a new row
- event text provided by the user during inline event editing
Property aliases (such as rowHeaderColumns.text and rowHeaderColumns.title) are escaped as well.
The following strings are always escaped, regardless of the xssProtection value:
On-Output XSS Protection
All escaping takes place during rendering. The strings provided by the user using interactive controls (e.g. inline editing) are passed to the event handlers in raw form.
All API elements that include "html" in their name (e.g. cornerHtml, events.list.html, onBeforeEventRender/args.data.html) are applied without escaping.