Forum
Log In
Home
Topic RSS
19:13
20/12/2012
Offline
Hello,
I have the following problem, whenever the user edit a row with the editGridRow or similar, there are no check of what the info is inserted.
You can check this behaviour in the Jqgrid demos. Row editing -> Basic Example
edit the row and modify the Client column with the following string :
<script>alert(1)</script>
then, when you save it the alert popups. And then if you edit it again the field is empty.
I guess that if we really trust the user and we want that he/she enters html data, then you can define in the editrules something like html:true, but in most cases that we dont trust you should escape js html tags just for showing it into the grid.
thanks in advance.
19:28
Moderators
30/10/2007
Offline
Hello,
It seems to me you do not have read the docs in order to see how you can avoid this.
Kind Regards
Tony
For professional UI suites for Java Script and PHP visit us at our commercial products site - guriddo.net - by the very same guys that created jqGrid.
00:11
20/12/2012
Offline
Hello Tony,
Thanks for the response, in fact i dont remember reading it, if you can pointing that info out i would appreciate.
However, back to the issue, if you write some invalid js line inside the script (i.e <script>xx</script>), then the row is not consistent anymore. Try to edit it afterwards and see.
My point is as follow, this injection or error is in the client side (i can escape things from my server, no prob), but this is the standard behaviour and as you can see even the demos are expossed.
regards,
Humbol
10:25
Moderators
30/10/2007
Offline
Hello,
Look at autoencode option in grid settings.
Regards
For professional UI suites for Java Script and PHP visit us at our commercial products site - guriddo.net - by the very same guys that created jqGrid.
11:18
20/12/2012
Offline
Hello,
I just checked but still for the standard behaviour is doesnt seems logical to me.
If you set autoencode to true, then when you post to the server '
will be converted to '
{test:'<'} so in the cell grid will appear '<', if you edit and save, the post will be {test:'&lt;'} and so on.
So, it just doesnt seem logical that I ve to un-encode the data in the server side. I ll just want to receive in the server what the user type (then i do what i want with that data), but the grid ve to be consistent.
For the moment what i do, is all the data that came from the server is already html escaped. and whenever i do editGridRow i set it to reloadAfterSubmit:true . This is a workaround that works, but I guess that is not what most people expects from this component.
thanks
12:39
Moderators
30/10/2007
Offline
Hello,
Look here
For professional UI suites for Java Script and PHP visit us at our commercial products site - guriddo.net - by the very same guys that created jqGrid.
12:56
20/12/2012
Offline
Hello,
Now i understood why it is not by default, however :
'Now when
is set to true we encode the data coming from server and not only when we post it (secutity fix)'
you ve data sanitized twice, so you ve to un sanitize data when you receive it.
Most Users Ever Online: 715
Currently Online:
53 Guest(s)
Currently Browsing this Page:
1 Guest(s)
Top Posters:
OlegK: 1255
markw65: 179
kobruleht: 144
phicarre: 132
YamilBracho: 124
Renso: 118
Member Stats:
Guest Posters: 447
Members: 11373
Moderators: 2
Admins: 1
Forum Stats:
Groups: 1
Forums: 8
Topics: 10592
Posts: 31289
Newest Members:
, razia, Prankie, psky, praveen neelam, greg.valainis@pa-tech.comModerators: tony: 7721, Rumen[Trirand]: 81
Administrators: admin: 66
