Forum

November 2nd, 2014
A A A
Avatar
sp_LogInOut Log In

Lost password?
sp_Search Search
Advanced Search
Advanced Search

— Forum Scope —




— Match —





— Forum Options —





Minimum search word length is 3 characters - maximum search word length is 84 characters

sp_Search Search
Go to Bottom
The forums are currently locked and only available for read only access
This topic is locked No permission to create posts
sp_Feed Topic RSS sp_TopicIcon
Automatic escape for cells content
08/08/2009
18:35
Avatar
fab2008
Guest
Guests
Go to Top
1sp_Permalink sp_Print

I love your plugin, I found it only two days ago and without any knowledge of it or jQuery I built a beautiful grid with a little effort. Before it I tried a lot of grid, for example YUI datatable, Dojogrid and others, but yours is the best, either the product itself and the documentation accurate and exhaustive.

IMHO the only feature that's missing (or maybe that I was not able to find) is automatic escape of cells content. It will be nice if we can have an option in colModel (such as escape) that prevent characters like < and > to be rendererd as html. Ideal thing is to have a jQuery('#idcell').text(content) call in an automated way.

I ask this because I use Zend Framework on server side, so in my db tables user content is stored as is, and then when used in webpages is escaped by Zend_View_Helper_Escape that does the hard job. In this way my model returns data as arrays with unescaped content. Now when I use this methods with a json helper to feed your grid if I have HTML code interpretated in cells, or even worse javascript...

I would like to keep my MVC models intact and execute escape of data using javascript, or even better directly with your grid.

By now I will use custom formatter feature, but in the future this is a nice improvment to your beautiful piece of software.

Regards

10/08/2009
05:21
Avatar
tony
Sofia, Bulgaria
Moderator
Members

Moderators
Forum Posts: 7721
Member Since:
30/10/2007
sp_UserOfflineSmall Offline
sp_UserWebsite
Go to Top
2sp_Permalink sp_Print

Hello,

You can use the autoencode option

http://www.trirand.com/jqgridw.....ki:options

Regards

Tony

For professional UI suites for Java Script and PHP visit us at our commercial products site - guriddo.net - by the very same guys that created jqGrid.

10/08/2009
20:58
Avatar
fab2008
Guest
Guests
Go to Top
3sp_Permalink sp_Print

I read about that options, but it is for posting data to the server. What I mean in my previous post is the ability to include unescaped content in a cell. For example, suppose that your server side script returns a string like <script>alert('hello world')</script>, when your jqgrid is rendered the script is executed.

At this time, the only way to prevent such similar xss is to escape datas server side, or using a custom formatter, but this would mean that you can not use any other formatter for that cell.

Bye.

P.S. I'm trying to extend standard formatters by writing some other functions. I'd like to make something like extending that object, in this way I simply have to include my file and use my formatter in the same way of the bultin ones. One problem, I'm not very skilled with javascript, can somone help me with a link to some doc?

13/08/2009
01:07
Avatar
tony
Sofia, Bulgaria
Moderator
Members

Moderators
Forum Posts: 7721
Member Since:
30/10/2007
sp_UserOfflineSmall Offline
sp_UserWebsite
Go to Top
4sp_Permalink sp_Print

Hello,

Thanks - added option to encode the server data. Also if you set autoencode to true the data from server will be encoded.

Regards

Tony

For professional UI suites for Java Script and PHP visit us at our commercial products site - guriddo.net - by the very same guys that created jqGrid.

24/08/2009
14:12
Avatar
joseisme
Member
Members
Forum Posts: 6
Member Since:
25/07/2009
sp_UserOfflineSmall Offline
Go to Top
5sp_Permalink sp_Print

Hello,

I also have this XSS problem.  I would like to have jqgrid html-encode/escape bound data so that it cannot execute when it is displayed in jqgrid. 

I am sorry I dont understand your reply Tony: is the option to encode data from the server available in version 3.4.4?  or 3.5?  What version must I use to have this feature?

Thanks,

-Jose

31/08/2009
10:56
Avatar
tony
Sofia, Bulgaria
Moderator
Members

Moderators
Forum Posts: 7721
Member Since:
30/10/2007
sp_UserOfflineSmall Offline
sp_UserWebsite
Go to Top
6sp_Permalink sp_Print

Hello,

You must use the 3.5 version. I recommend to use the last one from GitHub.

Best Regards

Tony

For professional UI suites for Java Script and PHP visit us at our commercial products site - guriddo.net - by the very same guys that created jqGrid.

18/06/2012
16:45
Avatar
melpomene
New Member
Members
Forum Posts: 2
Member Since:
18/06/2012
sp_UserOfflineSmall Offline
sp_UserWebsite
Go to Top
7sp_Permalink sp_Print

Has the issue with XXS been solved somehow yet?

I noticed that it is possible to escape the data before it is sent to the server, but it is stil possible to insert javascripts on the clientside.

Is there a nice way of escaping the output before it is rendered? http://www.trirand.com/blog/jq.....grid.html# Try adding <script>alert("XXS");</script> in the input box.

This topic is locked No permission to create posts
sp_Feed All RSS
Go to top
Forum Timezone: Europe/Sofia

Most Users Ever Online: 715

Currently Online:
55 Guest(s)

Currently Browsing this Page:
1 Guest(s)

Top Posters:

OlegK: 1255

markw65: 179

kobruleht: 144

phicarre: 132

YamilBracho: 124

Renso: 118

Member Stats:

Guest Posters: 447

Members: 11373

Moderators: 2

Admins: 1

Forum Stats:

Groups: 1

Forums: 8

Topics: 10592

Posts: 31289

Newest Members:

, razia, Prankie, psky, praveen neelam, greg.valainis@pa-tech.com

Moderators: tony: 7721, Rumen[Trirand]: 81

Administrators: admin: 66

Comments are closed.
Privacy Policy   Terms and Conditions   Contact Information