xssSafe

enables the XSS safety mode

boolean xssSafe;

Example

webix.ui ({ 
   view: "spreadsheet",
   xssSafe: true
});

Default value:

false

Related samples

Spreadsheet: XSS Safety

Details

When the parameter is set to true, Spreadsheet will:

escape the HTML set in the cell
escape the HTML generated by the math, except for the methods with permission
allow applying only the base64 format and images from the same domain while using IMAGE (otherwise it will throw an error)
escape the HTML specified in the number format

The methods which are allowed to generate HTML by default are the following: "IMAGE", "HYPERLINK", "SPARKLINE", "CHECKBOX", "RADIO".

If you need to allow a custom method to generate HTML, while the xssSafe property is enabled, set the generateHTML parameter of the registerMathMethod() method to true. Check the example below:

const spreadsheet = webix.ui({
    view: "spreadsheet",
    xssSafe: true
});
 
spreadsheet.registerMathMethod("bold", v => `<b>${v}</b>`, null, true);
spreadsheet.setCellValue(1, 1, '=bold("text")');

Note that while using the method with allowed HTML generation in math formulas, you should specify only the method in the formula. For example: =IMAGE(...) will generate an image, but =IMAGE(...)&"text" will be escaped.