Announcement

Collapse
No announcement yet.
X
  • Filter
  • Time
Clear All
new posts

    Potential security vulnerability in listgrid?!?!

    Dear Isomorphic,

    I found a potetial XSS style security problem in your listgrid control (and possibly others controls like the treeview).

    If you enter any html in a listgrid cell this will be rendered as such. This can include a malicous script in e.g. a img tag, like <img src="javascript:alert('bad script')">.

    I tried to prevent this by encoding the htmlentities server side, but then when you edit teh cell it will show stuff like &lt; etc.

    Do you have a workaround? Maybe by adding a shortDisplayFormatter for the text type? Any sugestions?

    Thanks in advance,

    Arjan Mels

    #2
    A workaround that works for me for text fields:

    Code:
     function escapeHTMLEncode(str) {
     
      var text = document.createTextNode(str);
      var div = document.createElement("div");
      div.appendChild(text);
      return div.innerHTML;
     }
    
    isc.builtinTypes.text.shortDisplayFormatter = function (value, field) {
               return escapeHTMLEncode(value);
            };
    HOWEVER studying the simpletype stuff, it becomes apparent this sort of code NEEDS to added to more places (e.g. the date/integer/float types all have a path where they simply return the value (in case the actual value is not of the expected type.)

    Dear Isomorphic, will you address this in the final 7 release?

    Best Regards,

    Arjan Mels
    Last edited by Arjan Mels; 16 Jan 2009, 14:38.

    Comment


      #3
      Any feedback on how this should be properly handled?

      Thanks in advance ,

      Arjan

      Comment

      Working...
      X