jQuery UI Widgets Forums Grid XSS

This topic contains 3 replies, has 2 voices, and was last updated by  Peter Stoev 8 years, 1 month ago.

Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
    XSS Posts
  • XSS #84295

    cristiano
    Participant

    Hello there,

    It seems like all the grid components are vulnerable to XSS attacks (cells rendering, grouping, etc). This is quite bad, I have had to patch up jqxgrid and jqxgrouping code in order to prevent this, but I probably only fixed part of it and not everywhere. Looks like the code of all the widgets relies on string concatenation to build HTML which is discouraged. How difficult would it be to make the library XSS safe? Any plans on doing that?
    Other widgets as the dropdown one also suffer from this issue.

    XSS #84298

    Peter Stoev
    Keymaster

    Hi cristiano,

    We want to put HTML in the cells, groups, etc and we do not want to restrict our users to do what they wish. We have no plans to change this in the future as well. If someone has some doubts about XSS, validation logic could be easily implemented.

    Best Regards,
    Peter Stoev

    XSS #84317

    cristiano
    Participant

    Is there any guide on how to easily implement html escaping of data to prevent XSS without having to go through the actual code? For example, I know you can have a custom renderer on cells which may help to prevent XSS as you can escape values there, but when grouping and column names there’s no such easy way to prevent XSS.

    XSS #84331

    Peter Stoev
    Keymaster

    Hi cristiano,

    Custom render callbacks are available for everything – cells, headers, groups, aggregates, toolbars, statusbars, pagers, etc.

    Best Regards,
    Peter Stoev

    jQWidgets Team
    http://www.jqwidgets.com

Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.