We use cookies to give you the best experience on our website. If you continue to browse, then you agree to our privacy policy and cookie policy. (Last updated on: November 16, 2018).
Unfortunately, activation email could not send to your email. Please try again.
Syncfusion Feedback

Security feature request - Datamanager XSS, and XRCF Security - attaching an Anti forgery token in the request header for all AJAX requests, from Datamanger.

Thread ID:





126444 Oct 15,2016 04:39 AM UTC Oct 20,2016 12:36 PM UTC ASP.NET MVC 3
Tags: DataManager
Asked On October 15, 2016 04:39 AM UTC

Hi, I need some clarification and help in configuring the datamanager to prevent XSS & XRCF

Does the Syncfusion Datamanager use Jquery behind the scenes when sending data to the server ? 
 I ask because in Angurlar; and other secure apps based on Jquery, usually attach an anti-forgery token

Intercept XMLHttpRequest in using the javascript's native AJAX object, XMLHttpRequest, how can I define a simple interceptor to add token to the header:
(function (send) {
    XMLHttpRequest.prototype.send = function (data) {
        this.setRequestHeader(myAppWithSyncfusionDatamgr.attachAntiForgery.tokenHeaderName, myAppWithSyncfusionDatamgr.attachAntiForgery.getToken());
return send.call(this, data); }; })(XMLHttpRequest.prototype.send);

My question is - if Datamanager is using Jquery, how and where can I attach this function to the Syncfusion code - so that when I send/get data using the datamanger - this request is in the pipeline?

If you already have a mechanism, please help me understand how its being handled



Kalai Selvi Rajendran [Syncfusion]
Replied On October 18, 2016 05:03 PM UTC

Hi Mega, 

Thanks for using Syncfusion products. 
We have analyzed your query, you can able to add the anti-forgery token to the header property of DataManager as below 
var dataManager = ej.DataManager({ 
            url: "GetData", 
            adaptor: new ej.UrlAdaptor(), 
            headers: [{ 
                token: "12aba676" 
Data will be fetched from GetData action method and the token will be added with the header request, please refer the screenshot for your reference and we have attached sample. 
 Sample: http://www.syncfusion.com/downloads/support/forum/126444/ze/SampleAntiForgery1721904240 

If you have any other questions, please let us know. 

Kalai Selvi 

Replied On October 19, 2016 07:09 PM UTC

Thanks for sample, remember the tokens are to be random and autogenerated on server side so they cannot be reused, but in your sample its static and can be hijacked easily. This does not prevent the XSS or XCRF sadly.

If you test your controls you will see its easy to hijack.

This seems to be a serious security oversight, anti-XSS token should have been implemented in your ej.webmin, looking at the code I did not find it if was already implemented - can you confirm if it exists or will you make this a request please.
  1. I also recommend you give the developer the option to override/ call it something else other than token, so its not
  2. overwriting other antiforgery tokens
  3. and put it in ej. name space



Kasithangam C [Syncfusion]
Replied On October 20, 2016 12:36 PM UTC

Hi Mega, 
Thanks for your update. 
You can get the dynamically generated token and pass it as a header of DataManager as shown below code: 
var forgeryToken = $('[name=__RequestVerificationToken]').val();//get the dynamic token value 
    var dataManager = ej.DataManager({ 
        url: "GetData", 
        adaptor: new ej.UrlAdaptor(), 
        headers: [{ 
            token: forgeryToken 
We have prepared the sample based on your requirement and it is available under the following link: 
Sample: Sample 
Also, you have mentioned that “put it in ej. name space” in your query. Can you please provide more additional details regarding this query? 


This post will be permanently deleted. Are you sure you want to continue?

Sorry, An error occured while processing your request. Please try again later.

Please sign in to access our forum

or the page will be automatically redirected to sign-in page in 10 seconds.

Warning Icon You are using an outdated version of Internet Explorer that may not display all features of this and other websites. Upgrade to Internet Explorer 8 or newer for a better experience.Close Icon