No announcement yet.
  • Filter
  • Time
Clear All
new posts

    [false vulnerability] Security vulnerability "Cross Site Scripting" in SmartGWT ListGrid

    Security vulnerability "Cross Site Scripting" was found in an application based on SmartGWT.
    What is recommended way to prevent this vulnerability in ListGrid and TreeGrid?
    This issue can be easily recreated using "Edit by Row" showcase.
    Insert into Country this value <img src=x onerror=alert(1);>
    When value is saved, Java Script is executed and alert is displayed.
    Click image for larger version  Name:	crossSiteScripting.png Views:	0 Size:	30.4 KB ID:	269132
    Last edited by Isomorphic; 25 Nov 2022, 13:34.

    This is not a vulnerability, you are showing an alert to yourself, and the data you're editing is sandboxed to you.

    Bigger picture, if you have a text field, you should decide what is allowed to be saved in it. You can disallow HTML-special characters (such as "<" and ">") via a validator, or, if HTML characters are allowed, you can set dataSourceField.escapeHTML to prevent their interpretation as HTML.


      Thank you for reply. Characters (such as "<" and ">") are valid for many text fields and should be allowed but should not be interpreted as HTML. How to set escapeHTML for a LIstGrid field?


        We're not sure what you're asking - escapeHTML is set like any other property, it just looks like " escapeHTML:true " in the midst of the JS definition of a field, for example.

        If you don't know how to set properties in general in SmartClient, you should start with the QuickStart Guide.