XSS and escapeHtml

Several of the dwr.util functions (addRows, setValue(s), getValue(s)) feature an optional 'options' parameter, which allows you to customize how the function performs.

Of these the most important, and most common is escapeHtml:false.

This option has existed since DWR version 2.0 when DWR added input data filtering to help prevent XSS attacks. For more information on XSS see:

By default (since verison 2.0) DWR assumes that any characters like <, >, & ", or ' should be escaped before inclusion in HTML, however there are times when this is not what you want. Particularly when you wish to add HTML to a page.

Adding the options string { escapeHtml:false } to a dwr.util function call will make DWR not perform output escaping before adding the string to the web page. See an example on the setValues() page.

If you find yourself using escapeHtml on every function call, then you can set the default escapeHtml flag to false using the following code:

dwr.util.setEscapeHtml(false);

However, before doing this, please understand that there are serious risks associated with XSS attacks.