jQWidgets Forums

Tagged: #jqwidgets-grid, grid, javascript grid, jquery grid

This topic contains 3 replies, has 2 voices, and was last updated by Hristo 7 years, 2 months ago.

Viewing 4 posts - 1 through 4 (of 4 total)

Author

sanitize HTML of user data Posts
January 8, 2018 at 1:16 pm sanitize HTML of user data #98181

badera
Participant

We use jqWidegts for Angular 1.
We are currently confronted with a cross side scripting problem, where users may enter data, this data is stored and other users get this data displayed either with a jqxGrid, jqxDropDown, …
So if the user, who does input data, enters some html code with embedded javascript, the other user gets this code executed due to the fact, that e.g. the jqxgrid does not sanitize the provided data, which it displays.

Is there a general way to let the jqWidgets sanitize all bound data that no cross side scripting can occour?
Thanks in advance for your help/tips!

Best regards,
badera

January 10, 2018 at 9:30 am sanitize HTML of user data #98206

Hristo
Participant

Hello badera,

Thank you for the interest.
Our widgets visualize the data but it cannot be guaranteed is correct and without malicious content. You could do some checks before sending to the backend. Which should be the priority of this task, the backend should care about the security of the data.
Maybe if you provide us more details, what you want to prevent from I could try to provide you a solution.

Best Regards,
Hristo Hristov

jQWidgets team
http://www.jqwidgets.com

January 11, 2018 at 6:55 am sanitize HTML of user data #98216

badera
Participant

Dear Hristo

Thanks for the answer. Primarily, I would like to prevent from execution of javascript. I.e. if a jqxGrid gets ‘‘ as data (because probably a user enter this as his firstname and there is a grid showing all users firstname), javascript shall not be executed. So I wonder if it is correct, if we do the filtering on input data in the backend – it is not the backend nor other clients, which gets trouble with such input – it is just the browser. So I think it would be best practise to do the sanitizing before displaying the content.
But of course, I would appreciate if I could do it in the backend – it would be simpler than making e.g. regarding jqxGrid for each column a custom renderer which sanitize the data to display. On the other hand, it would be great, if jqWidgets would give an option to enable such sanitizing.

According your answer, I think that jqWidgets do not currently have such option – so I like to ask you what is state of the art – how do professionals solve it? Do they on backend or in browser?

Thanks for your help!
Best regards,
– badera

January 11, 2018 at 12:45 pm sanitize HTML of user data #98226

Hristo
Participant

Hello badera,

That I could suggest you is about when type something in the cell is to check all typed value.
With the createeditor you could integrate a widget (ex.: jqxInput) and if there is some “malicious code” you could force the widget and set text with some message in it.
Unfortunately, I do not have experience with that kind of queries that you can send to the server.
Also, you could try to use the validation callback of the columns property and to check the value.
Thank you for the understanding.
Let me know if you need anything else.

Best Regards,
Hristo Hristov

jQWidgets team
http://www.jqwidgets.com
Author

Posts

Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.