Handling untrusted input (avoiding XSS)

[m417z]

I'm not sure if that would be a feature request or a question, perhaps I missed it. I can't find a straightforward way to handle untrusted input. For the default column data type, text, I'd expect any HTML code to be escaped, but that's not the case. Example: https://jsfiddle.net/havkj6er/

As you can see, I used the bare minimum set of options. Even if there's a solution, I'd suggest to make it the default to escape HTML to make the usage less prone to XSS vulnerabilities.

[m417z]

Here's a silly but working solution that escapes the text as Unicode lookalike characters, escaping HTML while maintaining a similar look of the text: https://jsfiddle.net/qwef9jvg/

Of course, it would be great if this can be fixed properly.

[vedmack]

Hi @m417z Thanks for checking this out, Since I'm very busy lately I won't be able to handle this myself, so a PR will be welcomed