HTML tag in JSON not work

[ormbook]

I put HTML tag in JSON
such as <a> , <img>
dynatable does not show link or image in row of table

[ormbook]

I try to use & lt ; instead < in JSON
It works

[JangoSteve]

I'm not sure what the issue is exactly. Dynatable works fine with HTML inside the JSON dataset. See this example on JSFiddle.

[JangoSteve]

Also, I should state too that it's intentional that dynatable does work by default with HTML tags in the JSON. It's been brought up by @akgood that it could be a security concern that dynatable treats HTML within JSON as a trusted entity by default. And he's absolutely right.

The reason it doesn't escape HTML entities by default is for the default use-case that you have an HTML table with data and the JSON is being built from that.

As in the first example in the docs, the table is populated with little flag images for each country. If the default was to treat JSON as text such that HTML tags get escaped, then you would have your table filled with little icons, you'd call .dynatable() on it, and suddenly when you sort, it'd be filled with escaped html entities and your icons would be gone.

One of my requirements for the plugin was to be super simple to implement and to leave your data alone (i.e. making no assumptions on your behalf) by default. I think it's one of those situations where there's not necessarily a right answer.

But you can easily configure dynatable to treat JSON data as untrusted if you have, for example, some JSON where an attribute's value has some HTML, which you want that to be treated as plain text and not get inserted into the DOM as HTML (which could expose an XSS vulnerability).

In that case, do this if you want it to show escaped html entities:

$.dynatableSetup({
  writers: {
    _attributeWriter: function(record) {
      return $('<div />').text(record[this.id]).html();
    }
  }
});

Or do this if you want it to show the text equivalent (ignoring html entities, images, etc.):

$.dynatableSetup({
  writers: {
    _attributeWriter: function(record) {
      return $('<div />').html(record[this.id]).text();
    }
  }
});

[ormbook]

I use php to generate pre-json tag
,query mysql and json_encode

===============pre-json.php=============================
while($r = mysql_fetch_assoc($rs1)) {
    //add button in $r
    $r["option"]="<a href=\"#AddNewContact\" data-toggle=\"tab\" onClick=\"fnAddContact('".$r[uidContact]."')\"><button>+Add</button></a>";
    $r["img"]="<img src='https://cordis.europa.eu/partners/image/user_male_portrait%3Fimg_id%3D0' style='width:50px'\>";
//change < --> & lt;  & gt;
    $r["option"]=str_replace("<","&lt;",$r["option"]);
    $r["option"]=str_replace(">","&gt;",$r["option"]);
    $r["img"]=str_replace("<","&lt;",$r["img"]);
    $r["img"]=str_replace(">","&gt;",$r["img"]);

    $rows[] = $r;


}

$txt.='<div id="json-records-recommend" contenteditable style="visibility:hidden;">';
$txt.=json_encode($rows);
$txt.='</div>';

and then include by server side include to table.php

according to my post
pre-json.php which including to table.php
not work for HTML tag

but i can solve by use & lt; and & gt; instead < and >