Announcement

Collapse
No announcement yet.
X
Collapse
  • Page of 1
  • Filter
  • Time
Clear All
new posts
Previous template Next
    #1

    [false vulnerability] Security vulnerability "Cross Site Scripting" in SmartGWT ListGrid

    Security vulnerability "Cross Site Scripting" was found in an application based on SmartGWT.
    https://owasp.org/www-project-web-se...Site_Scripting
    What is recommended way to prevent this vulnerability in ListGrid and TreeGrid?
    This issue can be easily recreated using "Edit by Row" showcase.
    Insert into Country this value <img src=x onerror=alert(1);>
    When value is saved, Java Script is executed and alert is displayed.
    Click image for larger version Name: crossSiteScripting.png Views: 0 Size: 30.4 KB ID: 269132
    Last edited by Isomorphic; 25 Nov 2022, 13:34.
    Tags: None
    #2
    This is not a vulnerability, you are showing an alert to yourself, and the data you're editing is sandboxed to you.

    Bigger picture, if you have a text field, you should decide what is allowed to be saved in it. You can disallow HTML-special characters (such as "<" and ">") via a validator, or, if HTML characters are allowed, you can set dataSourceField.escapeHTML to prevent their interpretation as HTML.

    Comment

      #3
      Thank you for reply. Characters (such as "<" and ">") are valid for many text fields and should be allowed but should not be interpreted as HTML. How to set escapeHTML for a LIstGrid field?

      Comment

        #4
        We're not sure what you're asking - escapeHTML is set like any other property, it just looks like " escapeHTML:true " in the midst of the JS definition of a field, for example.

        If you don't know how to set properties in general in SmartClient, you should start with the QuickStart Guide.

        Comment

        Previous template Next
        Working...
        X