on jqx-combo-box Search with multiSelect enabled - Angular, Vue, React, Web Components, Javascript, HTML5 Widgets

Tagged: combobox, multiselect

This topic contains 7 replies, has 3 voices, and was last updated by Jany 8 years, 5 months ago.

Viewing 8 posts - 1 through 8 (of 8 total)

Author

on jqx-combo-box Search with multiSelect enabled Posts
November 27, 2016 at 9:32 am on jqx-combo-box Search with multiSelect enabled #89339

Jany
Participant

Hi,

We are using jqx-combo-box with multiselect option enabled. In the search field if we give script its executing that. I tried <script>alert(1)</script> as search text, it is immediately showing the alert message with 1. The same issue happening with the demo example also by enabling multiselect. This does not happen when multiselect mode is false. This looks to be a security issue. Have you faced this issue? If so, what is the plan to fix this?

Thanks
Jany

November 28, 2016 at 9:48 am on jqx-combo-box Search with multiSelect enabled #89351

Hristo
Participant

Hello Jany,

Thank you for this feedback.

Best Regards,
Hristo Hristov

jQWidgets team
http://www.jqwidgets.com

November 28, 2016 at 3:21 pm on jqx-combo-box Search with multiSelect enabled #89360

Jany
Participant

Hi Hristo Hristov,

Please let us know what is the plan to address this? Do you have any open defect for this? We use jqwidgets in our product and our customers raised this as severe security issue.

Thanks
Jany

November 30, 2016 at 6:52 am on jqx-combo-box Search with multiSelect enabled #89434

Jany
Participant

Hi Team,

Any update on this defect? We are waiting for your comments to get back to our customer.

Thanks
Jany

November 30, 2016 at 8:14 am on jqx-combo-box Search with multiSelect enabled #89435

Peter Stoev
Keymaster

Hi Jany,

We do not think that this is a defect. The ComboBox displays an Input field and we do not restrict it at all.

Best Regards,
Peter Stoev

jQWidgets Team
http://www.jqwidgets.com

November 30, 2016 at 9:35 am on jqx-combo-box Search with multiSelect enabled #89438

Jany
Participant

Hi Peter Stoev,

I agree with you on not restricting on the input field used for search.

But the text entered for search should be treated as text, and it should not be executed as script. Currently when we enter some scripts as search input, it is not treating it as simple search text, instead executing the entered text.

Thanks
Jany

December 5, 2016 at 6:36 am on jqx-combo-box Search with multiSelect enabled #89549

Jany
Participant

Hi Peter Stoev,

Any update on this.

Thanks
Jany

December 8, 2016 at 6:45 am on jqx-combo-box Search with multiSelect enabled #89662

Jany
Participant

Hi Team,

Any update on this?

Not restricting characters on the input field used for search is OK, but the text entered for search should be treated as text, and it should not be executed as script. Currently when we enter some scripts as search input, it is not treating it as simple search text, instead executing the entered text. This happens only when multiselect mode is true in jqx-combo-box

Thanks
Jany
Author

Posts

Viewing 8 posts - 1 through 8 (of 8 total)

You must be logged in to reply to this topic.