url decode not working in version 12

We updated from version 10 to version 12 and we have a field that gets populated via an Apex class with some html.

We display the field contents in a template field with the following code:

In Version 10 the
are honored and the "
" text is not displayed.

In version 12 the
are not honored and the "
" are displayed.

Should I be using something other than {{#urlDecode}}{{/urlDecode}} to honor the html?

What page API version is this happening in? V1 or V2?



Hi Tami, I found another post related to using
in a formula field returning text:
Not sure if this would apply to your template field, but worth a shot.

Hi Khamla,

Thanks for your response. I don’t think that is the issue that I am experiencing because I am not using a formula field.

I am using a text field that gets populated with html via Apex Class. We then display the contents of that field in a Skuid template field using the {{#urlDecode}}{{/urlDecode}} code so that the html is shown properly. 

The above mentioned method works fine in version 10 but it doesn’t work in version 12.

This behavior of urlDecode was patched as of 12.0. It presented an unintended XSS vulnerability we wanted to protect our customers from. But I’m sorry it has bitten you!

We are researching better ways we can offer a supported method of inserting raw HTML for both V1 and V2, but in the interim if you are in a V1 skuid page our recommendation is to achieve similar behavior with a custom renderer for that field in V1 (see below for the custom render code you can use)

var field = arguments[0],
// Note: The value below (arguments[1]) will be HTML-escaped, since this is what is returned in the snippet.
// If you want the unescaped value, use model.getFieldValue(fieldId, row, noEscape) with noEscape set to true (see below)
// value = arguments[1],
fieldId = field.id,
model = field.model,
row = field.row,
element = field.element,
mode = field.mode,
fieldValue = model.getFieldValue(row, fieldId, true), // The third argument here is noEscape. Setting it to true specifies that we DON’T want an HTML-escaped result for the model field value
uriDecodedValue = decodeURIComponent(fieldValue); element.html(uriDecodedValue);```

This works perfectly in V1 pages. Thank you!