XSS Filtering
Since v7.0, all DataTable responses are encoded to prevent XSS attacks. In case you need to display HTML on your columns, you can use the rawColumns API.
[!NOTE] The
actioncolumn is allowed as raw by default.
Raw Columns
use Yajra\DataTables\Facades\DataTables;use App\Models\Role; Route::get('role-data', function() { return DataTables::eloquent(Role::select()) ->rawColumns(['name', 'action']) ->toJson();});Escape Selected Fields
use Yajra\DataTables\Facades\DataTables;use App\Models\Role; Route::get('role-data', function() { return DataTables::eloquent(Role::select()) ->escapeColumns(['name']) ->toJson();});Escape All Columns
use Yajra\DataTables\Facades\DataTables;use App\Models\Role; Route::get('role-data', function() { return DataTables::eloquent(Role::select()) ->escapeColumns() ->toJson();});Remove Escaping of All Columns
use Yajra\DataTables\Facades\DataTables;use App\Models\Role; Route::get('role-data', function() { return DataTables::eloquent(Role::select()) ->escapeColumns([]) ->toJson();});[!WARNING] Disabling escaping for all columns is dangerous and may expose your application to XSS attacks. Only use this option when you fully control the content.
Escape by Output Index
use Yajra\DataTables\Facades\DataTables;use App\Models\Role; Route::get('role-data', function() { return DataTables::eloquent(Role::select()) ->escapeColumns([0]) ->make();});Security Best Practices
| Practice | Description |
|---|---|
Use rawColumns sparingly |
Only allow HTML in columns that need it |
| Sanitize user input | Always sanitize data before rendering as HTML |
Use e() helper |
Laravel's e() function for explicit escaping |
| Review exported data | Check exports for potential XSS vectors |
See Also
- Raw Columns - Allow HTML in columns
- Security - Security best practices
