Since version 2020.4.4701, the Scheduler includes built-in cross-site scripting (XSS) protection.

The XSS protection is enabled by default (xssProtection property is set to "Enabled").

When enabled, the text strings specified using the API (i.e. supplied by the developer/user and not auto-generated) are HTML-encoded.

Even with XSS protection enabled, you can still define your own HTML - just use *html* instead of *text* (or similar) properties.

Protected Strings

  • event text (events.list[].text)

  • event version text (events.list[].versions[].text)

  • resource name (resources[].name)

  • resource column names (rowHeaderColumns[].text)

  • resource column values (resources[] properties specified using rowHeaderColumns[].display)

  • upper-left corner text (cornerText)

  • message text (message(text) method)

  • loading label text (loadingLabelText)

  • row name provided by the user during inline row editing

  • row name provided by the user when creating a new row

  • event text provided by the user during inline event editing

Property aliases (such as rowHeaderColumns[].text and rowHeaderColumns[].title) are escaped as well.

Always Protected

The following strings are always escaped, regardless of the xssProtection value:

On-Output XSS Protection

All escaping takes place during rendering. The strings provided by the user using interactive controls (e.g. inline editing) are passed to the event handlers in raw form.


All API elements that include "html" in their name (e.g. cornerHtml, events.list[].html, onBeforeEventRender/ are applied without escaping.