EasyUI security issues

[A-K]

Hey,

Our team just found out that script tags and also elements can be entered to the datagrid rows when in edit mode and after end edit is called they are being activated!
This is a security issue, and I dont think that everyone who uses EasyUI should start testing the user input for script tags and so on..

This is something EasyUI should handle in the infrastructure level.

Please check it out here: http://jsfiddle.net/3L4ej4dx/43/
I have entered a script tag to the first row with plus sign in the <+script> and in </+script>, remove the plus from it and watch the script being activated.

Thanks.

[A-K]

hey stworthy, any updates on this?

Thanks.

[stworthy]

You can define a validate type and apply it to the editor to prevent from typing <script> tag.

Code:

<script>
	$.extend($.fn.validatebox.defaults.rules, {
		noscript: {
			validator: function(value,param){
				if (String(value).toLowerCase().indexOf('<script>') >= 0){
					return false;
				}
				return true;
			},
			message: 'The script tag does not allowed.'
		}
	});
</script>

You also can define the 'onEndEdit' event to convert all the row content to what you want.

Code:

$('#dg').datagrid({
	onEndEdit:function(index,row){
		for(var field in row){
			if (row[field]){
				row[field] = String(row[field]).replace(/<script>/ig, '&lt;script&gt;');
			}
		}
	}
})

Please refer to this updated example http://jsfiddle.net/3L4ej4dx/44/