search

customd / jquery-calendar

A full day, week, and resource calendar for use with jQuery.
MIT License
62 stars 26 forks source link

Embed HTML into event title / content #16

Closed jarrettchisholm closed 10 years ago

jarrettchisholm commented 10 years ago

Is there a way to embed HTML into an event title / content?

When I try to, for example, put a link in the title, it just shows the html code as text, instead of adding a hyperlink.

samatcd commented 10 years ago

At present, no — this would be simple to hack into the code — just replace usage of .text with .html. I'm using .text by default, because it's a potential CSRF / injection security risk if users are able to enter the titles themselves. An attacker could potentially embed a malicious script or iframe into the page, but as long as you're sanitising users input correctly it should be fine.

Cheers, Sam

D I G I T A L F U S I O N L I M I T E D Customer Based Thinking

Sam Sehnert Phone: +64-3-377 3797 Web Site: http://www.teamdf.com Blog: http://www.teamdf.com/web/

FileMaker Business Alliance Platinum Xero Approved Developer

On 28/09/2013, at 7:01 AM, jarrettchisholm notifications@github.com wrote:

Is there a way to embed HTML into an event title / content?

When I try to, for example, put a link in the title, it just shows the html code as text, instead of adding a hyperlink.

— Reply to this email directly or view it on GitHub.

jarrettchisholm commented 10 years ago

Ah fair enough - thanks for the reply Sam!

Would you be interested in a patch to allow users to enable/disable html embeding via a calendar property?

i.e.:

var calendar = $('#calendar_' + id).cal({

    startdate       : $.cal.date().addDays(1-$.cal.date().format('N')), // Week beginning sunday.

    allowresize     : true,
    allowmove       : true,
    allowselect     : true,
    allowremove     : true,
    allownotesedit  : true,

    allowhtml       : true,    // <--- New property

    // Start and end times for the days
    daytimestart    : '07:00:00',
    daytimeend      : '20:00:00',
    //...etc, etc

I've already got it working in my dev environment, just wondering if you'd be interested.

Thanks again for the quick reply!

samatcd commented 10 years ago

Yes, that could definitely be useful, thanks.

jarrettchisholm commented 10 years ago

closed (issue duplicated by pull request - #19)