Forum
Log In
Home
Topic RSS
15:24
I've been trying to resolve an issue with editing, and it still persists despite escaping everything on the backend. The only conclusion I can draw is that a bug in jqGrid itself exists.
To recreate the problem, create a new instance of jqGrid and enable inline editing using the default function from the documentation:
————————-
onSelectRow: function(id){
if(id && id!==lastCategoriesSel){
jQuery('#categories').restoreRow(lastCategoriesSel);
lastCategoriesSel=id;
}
editingCategories = true;
jQuery('#categories').editRow(id, true, null, null, null, null, afterSubmitFuncForEditCategories, editError);
}
———————
If you click on a row to edit the data on this grid, and enter “<script>alert('hi');</script>” in any field, and press [ENTER], an alert box appears. The box appears before the XHR calls to reload the data in the grid, so even if my code were unsanitized, it isn't even being evaluated yet.
At first, I thought this wasn't a big issue because the hacker could only hack his own computer. Then, somebody pointed out that it's not necessary for the user to actually change the data in the fields. While the code is not automatically executed at load time, subsequent users could accidentally edit a field containing script tags like this (perhaps hidden after a number of linefeeds to push them down past immediate view), press [ENTER], and the script would be executed before being saved to the database.
Is it possible that there is a bug in jqGrid that causes this data to be executed somewhere, or am I missing something still?
02:03
Moderators
30/10/2007
Offline
Hello,
It is not a bug, it is a way that request is send to the server. Also please first read the docs how to sanitize such things, by example there is a option autoencode.
Regards
Tony
For professional UI suites for Java Script and PHP visit us at our commercial products site - guriddo.net - by the very same guys that created jqGrid.
11:50
I tried the autoencode option, and it works as designed. However, there's a problem with this scheme. Sending the code to the database works fine, and no alert is displayed if I press [ENTER]. Let's assume that the encoded data is stored in the database, or equivalently, when Windows Forms applications also access the data, the data is decoded for the database and then reencoded upon retrieval. Either way, the data needs to be displayed is returned in JSON format with HTML entities encoded when the grid is refreshed.
However, after the refresh, it's still possible for an alert dialog to occur. You can reproduce this by clicking in any of the cells where the <script> values are displayed and clicking on another row, which calls restoreRow() with the example code. When the HTML entities are sent encoded in JSON format as < and >, they display as < and > in the grid, which is what we want, but then cancelling the edit executes the script instead of saving it. Autoencode only seems to prevent attacks when saving the data, not when cancelling an inline edit. When the original data is restored to the cell, it seems to be appended to the document unescaped, so that a cell with the input value “<script>alert('hi');</script>” will then show a null string after the edit is cancelled using restoreRow. Therefore, a hacker can still put these script tags into the database, and even though users won't be attacked when saving data, they'll still be attacked when cancelling editing on rows that contain the script tags.
One way to get around this problem is to double-escape strings. But then, additional characters keep getting appended onto anything that originally had a “<” character in it, and it's a problem for applications where math (i.e. x < 3) is stored in the text. You'll get things like “x < 3″ or even “x << 3.” Or you can strip all tags like that, but then you can never have “<” and “>” characters anywhere.
12:05
Moderators
30/10/2007
Offline
Hello,
Thanks for this.
Will try to reproduce this and if needed to make some corrections. Also the developer should care of the data passed and retrieved to/from server. This is a long discussion
Regards
Tony
For professional UI suites for Java Script and PHP visit us at our commercial products site - guriddo.net - by the very same guys that created jqGrid.
14:42
I just discovered what may be another oversight.
Try adding a default search box below a grid, using the grid's column models. This also works with a separate model for search. Enter "<script>alert('hi');</script>" in the search field for one column, and then press [ENTER].
The data is sent unencoded to the server. Ideally, if autoencode = true, I would think that it would be best to call whatever the Javascript equivalent is to Server.URLEncode() before passing data. In my case, I received a 403 ("Forbidden") error when attempting to search on fields using "<" or ">" characters, because apparently the webserver is configured to reject URLs that include these characters in order to prevent XSS attacks. Therefore, not only might developers get confused and store this data unintentionally, but some servers are also configured beyond the developer's control to reject such queries.
Most Users Ever Online: 715
Currently Online:
46 Guest(s)
Currently Browsing this Page:
1 Guest(s)
Top Posters:
OlegK: 1255
markw65: 179
kobruleht: 144
phicarre: 132
YamilBracho: 124
Renso: 118
Member Stats:
Guest Posters: 447
Members: 11373
Moderators: 2
Admins: 1
Forum Stats:
Groups: 1
Forums: 8
Topics: 10592
Posts: 31289
Newest Members:
, razia, Prankie, psky, praveen neelam, greg.valainis@pa-tech.comModerators: tony: 7721, Rumen[Trirand]: 81
Administrators: admin: 66
