EasyUI Forum

General Category => EasyUI for jQuery => Topic started by: A-K on July 21, 2015, 04:00:59 AM


Title: EasyUI security issues
Post by: A-K on July 21, 2015, 04:00:59 AM
Hey,

Our team just found out that script tags and also elements can be entered to the datagrid rows when in edit mode and after end edit is called they are being activated!
This is a security issue, and I dont think that everyone who uses EasyUI should start testing the user input for script tags and so on..

This is something EasyUI should handle in the infrastructure level.

Please check it out here: http://jsfiddle.net/3L4ej4dx/43/ (http://jsfiddle.net/3L4ej4dx/43/)
I have entered a script tag to the first row with plus sign in the <+script> and in </+script>, remove the plus from it and watch the script being activated.

Thanks.

Title: Re: EasyUI security issues
Post by: A-K on July 22, 2015, 10:31:55 AM
hey stworthy, any updates on this?

Thanks.

Title: Re: EasyUI security issues
Post by: stworthy on July 22, 2015, 06:15:52 PM
You can define a validate type and apply it to the editor to prevent from typing <script> tag.
Code:
<script>
	$.extend($.fn.validatebox.defaults.rules, {
		noscript: {
			validator: function(value,param){
				if (String(value).toLowerCase().indexOf('<script>') >= 0){
					return false;
				}
				return true;
			},
			message: 'The script tag does not allowed.'
		}
	});
</script>

You also can define the 'onEndEdit' event to convert all the row content to what you want.
Code:
$('#dg').datagrid({
	onEndEdit:function(index,row){
		for(var field in row){
			if (row[field]){
				row[field] = String(row[field]).replace(/<script>/ig, '&lt;script&gt;');
			}
		}
	}
})

Please refer to this updated example http://jsfiddle.net/3L4ej4dx/44/


Powered by SMF 1.1.18 | SMF © 2013, Simple Machines