Merge branch 'release/v5.9.0'

Author: yajra

change-log.md

@@ -8,6 +8,10 @@
 
 ##Change Log
 
+###v5.9.0
+    - Added escapeColumns feature to escape the values.
+    - Addresses XSS filtering issue #128.
+    
 ###v5.8.6
     - Fix DT_Row options when returning a flatten array response.
     - Fix PR #126.

readme.md

@@ -28,6 +28,7 @@ This package is created to handle [server-side](https://www.datatables.net/manua
 - Decorate your data output using [`league\fractal`](https://github.com/thephpleague/fractal) Transformer.
 - Works with Laravel Dependency Injection and IoC Container.
 - Provides a [DataTable Html Builder](http://datatables.yajrabox.com/html) to help you use the package with less code.
+- Provides XSS filtering function to optionally escape all or specified column values using `escapeColumns('*'\['column'])` method.
 
 ## Buy me a beer
 <a href='https://pledgie.com/campaigns/29515'><img alt='Click here to lend your support to: Laravel Datatables and make a donation at pledgie.com !' src='https://pledgie.com/campaigns/29515.png?skin_name=chrome' border='0' ></a>

src/yajra/Datatables/Engines/BaseEngine.php

@@ -59,7 +59,7 @@ abstract class BaseEngine implements DataTableEngine
     protected $columns = [];
 
     /**
-     * DT columns definitions container (add/edit/remove/filter/order).
+     * DT columns definitions container (add/edit/remove/filter/order/escape).
      *
      * @var array
      */
@@ -69,6 +69,7 @@ abstract class BaseEngine implements DataTableEngine
         'excess' => ['rn', 'row_num'],
         'filter' => [],
         'order'  => [],
+        'escape' => [],
     ];
 
     /**
@@ -136,7 +137,7 @@ abstract class BaseEngine implements DataTableEngine
     /**
      * Output transformer.
      *
-     * @var TransformerAbstract
+     * @var \League\Fractal\TransformerAbstract
      */
     protected $transformer = null;
 
@@ -381,6 +382,19 @@ public function removeColumn()
         return $this;
     }
 
+    /**
+     * Declare columns to escape values.
+     *
+     * @param string|array $columns
+     * @return $this
+     */
+    public function escapeColumns($columns = '*')
+    {
+        $this->columnDef['escape'] = $columns;
+
+        return $this;
+    }
+
     /**
      * Allows previous API calls where the methods were snake_case.
      * Will convert a camelCase API call to a snake_case call.

src/yajra/Datatables/Processors/DataProcessor.php

@@ -12,6 +12,13 @@
 class DataProcessor
 {
 
+    /**
+     * Columns to escape value.
+     *
+     * @var array
+     */
+    private $escapeColumns = [];
+
     /**
      * Processed data output
      *
@@ -55,6 +62,7 @@ public function __construct($results, array $columnDef, array $templates)
         $this->appendColumns = $columnDef['append'];
         $this->editColumns   = $columnDef['edit'];
         $this->excessColumns = $columnDef['excess'];
+        $this->escapeColumns = $columnDef['escape'];
         $this->templates     = $templates;
     }
 
@@ -77,7 +85,7 @@ public function process($object = false)
             $this->output[] = $object ? $value : $this->flatten($value);
         }
 
-        return $this->output;
+        return $this->escapeColumns($this->output);
     }
 
     /**
@@ -169,4 +177,23 @@ public function flatten(array $array)
 
         return $return;
     }
+
+    /**
+     * Escape column values as declared.
+     *
+     * @param array $output
+     * @return array
+     */
+    protected function escapeColumns(array $output)
+    {
+        return array_map(function ($row) {
+            foreach ($row as $key => $value) {
+                if ($this->escapeColumns == '*' || in_array($key, $this->escapeColumns, true)) {
+                    $row[$key] = e($value);
+                }
+            }
+
+            return $row;
+        }, $output);
+    }
 }