jQuery UI Widgets › Forums › Grid › XSS
Tagged: JavaScript, javascript widgets, jQuery, jQuery Widgets, jqwidgets, xss
This topic contains 3 replies, has 2 voices, and was last updated by Peter Stoev 8 years, 11 months ago.
Hello there,
It seems like all the grid components are vulnerable to XSS attacks (cells rendering, grouping, etc). This is quite bad, I have had to patch up jqxgrid and jqxgrouping code in order to prevent this, but I probably only fixed part of it and not everywhere. Looks like the code of all the widgets relies on string concatenation to build HTML which is discouraged. How difficult would it be to make the library XSS safe? Any plans on doing that?
Other widgets as the dropdown one also suffer from this issue.
Hi cristiano,
We want to put HTML in the cells, groups, etc and we do not want to restrict our users to do what they wish. We have no plans to change this in the future as well. If someone has some doubts about XSS, validation logic could be easily implemented.
Best Regards,
Peter Stoev
Is there any guide on how to easily implement html escaping of data to prevent XSS without having to go through the actual code? For example, I know you can have a custom renderer on cells which may help to prevent XSS as you can escape values there, but when grouping and column names there’s no such easy way to prevent XSS.
Hi cristiano,
Custom render callbacks are available for everything – cells, headers, groups, aggregates, toolbars, statusbars, pagers, etc.
Best Regards,
Peter Stoev
jQWidgets Team
http://www.jqwidgets.com
You must be logged in to reply to this topic.
