Announcement

Collapse
No announcement yet.
X
Collapse
  • Page of 1
  • Filter
  • Time
Clear All
new posts
Previous template Next
    #1

    Potential security vulnerability in listgrid?!?!

    Dear Isomorphic,

    I found a potetial XSS style security problem in your listgrid control (and possibly others controls like the treeview).

    If you enter any html in a listgrid cell this will be rendered as such. This can include a malicous script in e.g. a img tag, like <img src="javascript:alert('bad script')">.

    I tried to prevent this by encoding the htmlentities server side, but then when you edit teh cell it will show stuff like &lt; etc.

    Do you have a workaround? Maybe by adding a shortDisplayFormatter for the text type? Any sugestions?

    Thanks in advance,

    Arjan Mels
    Tags: None
    #2
    A workaround that works for me for text fields:

    Code:
     function escapeHTMLEncode(str) {
 
  var text = document.createTextNode(str);
  var div = document.createElement("div");
  div.appendChild(text);
  return div.innerHTML;
 }

isc.builtinTypes.text.shortDisplayFormatter = function (value, field) {
           return escapeHTMLEncode(value);
        };
    HOWEVER studying the simpletype stuff, it becomes apparent this sort of code NEEDS to added to more places (e.g. the date/integer/float types all have a path where they simply return the value (in case the actual value is not of the expected type.)

    Dear Isomorphic, will you address this in the final 7 release?

    Best Regards,

    Arjan Mels
    Last edited by Arjan Mels; 16 Jan 2009, 14:38.

    Comment

      #3
      Any feedback on how this should be properly handled?

      Thanks in advance ,

      Arjan

      Comment

      Previous template Next
      Working...
      X