Your Privacy Matters: We use our own and third-party cookies to improve your experience on our website. By continuing to use the website we understand that you accept their use. Cookie Policy
820
How to restrict Grid Row Editing XSS (Cross site scripting)
posted

hi all
I am looking for a way to sanitize inputs to keep script from being executed when editing grid records.

If i add something simple as '<img src=z onerror=alert(278)>' into an rowEdit input, the script will execute.  Is there a simple or native option to restrict or treat input values as text?

Parents
  • 660
    Verified Answer
    Offline posted

    Hello Ben,

    Thank you for posting into our community!

    I have been looking into your question and an approach I could suggest is using the editCellEnding event which is fired before cell editing ends and provides useful information such as the new value.

    Additionally, as the editCellEnding event is fired for each cell when using row editing, I would suggest using the update option to check if the value is changed and apply custom logic for sanitizing it.

    For example:

    features: [
      {
        name: "Updating",
        editMode: "row",
        editCellEnding: function (evt, ui) {
          if (ui.update) {
            ui.value = escapeHtml(ui.value);
          }
        },
      },
    ],

    Here could be found a small sample demonstrating my suggestion.

    Please test it on your side and let me know if you need any further assistance regarding this matter.

    Looking forward to your reply.

    Sincerely,
    Riva Ivanova
    Associate Software Developer

Reply Children