TreeGrid doesn't sanitise user input - executes any Javascript entered into a cell

Question

Hi Syncfusion,I've noticed that the TreeGrid doesn't sanitise user input - and therefore it executes any Javascript entered into a cell.For example, if you go to this page:http://mvc.syncfusion.com/demos/web/treegrid/treegrideditingand type exactly this into one of the "Task Name" cells:Nothing is shown in the cell, and the script actually executes - an alert dialog appears with the word "ouch" in it.I feel like this shouldn't happen - the script entered in here could do all sorts of malicious things. What should happen is that exactly what was typed in the edit box appears in the cell after saving.

Suriyaprasanth Ravikumar · Answer

Hi Matthew,

We have analyzed your reported issue, while editing the text and saving it, the row will be refreshed and when there is a valid script element in the edited text it will be executed due to the JavaScript behavior. Hence we suggest you to provide the cell input text using the HTML entities instead of the HTML tag symbol directly, if there is an executable code in the input text. But other special characters (< , >, %, *, &) will be supported in TreeGrid cells.

[HTML]

[HTML Entities]

&ltscript&gtalert('ouch');&lt/script&gt

Please let us know if require further assistance on this.

Thanks,

Suriyaprasanth R.