dt2_cols_escape() now actually escapes HTML when
escape = TRUE (the default). Previously both
escape = TRUE and escape = FALSE produced the
same identity renderer, so cell content was always inserted as raw
HTML.
Server-side processing: the default request parser used by
dt2_ssp_handler() / dt2_bind_server() now
URL-decodes query-string keys, so global search and column
ordering are applied. Previously only pagination worked, because encoded
keys such as search%5Bvalue%5D and
order%5B0%5D%5Bcolumn%5D were never matched.
dt2() now fills options$columns from
the data when it is not supplied, matching the column list the
JavaScript side derives.
Name-based column helpers (dt2_cols_*(),
dt2_format_*(), dt2_order(), …) now emit an
informative warning when a column name cannot be resolved (for example
when options$columns was not set), instead of silently
producing an invalid target.
The number and date/time format helpers build their JavaScript using properly quoted and escaped string literals, fixing broken output when a prefix, suffix, locale or format string contained a quote.
print() for dt2_theme objects now also
shows the class field.
dt2_order(),
dt2_search_global(), dt2_use_buttons() and
dt2_language(), cross-linked
dt2_buttons()/dt2_use_buttons(), and
documented the options$columns pattern in the
vignettes.