We use cookies to give you the best experience on our website. If you continue to browse, then you agree to our privacy policy and cookie policy. Image for the cookie policy date
Unfortunately, activation email could not send to your email. Please try again.
Syncfusion Feedback

No sanitisation by default!

Thread ID:





145432 Jun 21,2019 10:13 AM UTC Jan 7,2020 12:44 PM UTC Angular - EJ 2 6
Tags: Grid
Dan Clarke
Asked On June 21, 2019 10:13 AM UTC

Wow, I just noticed that in any of my form fields, if I enter javascript - eg. "<script>alert('hello')</script>" - if that gets displayed in a gridview, it'll execute that javascript and show a popup alert box! Surely this should sanitise by default out of this box. This is XSS 101! :(

Dan Clarke
Replied On June 21, 2019 10:18 AM UTC

Yikes, and even in this very forum - if I edit my initial post - it pops up with a 'hello' message box because I put javascript in the post! Not good.

Is there a way I can get Syncfusion to globally sanitize all my controls in my Syncfusion controls in my Angular app?

Thavasianand Sankaranarayanan [Syncfusion]
Replied On June 21, 2019 01:44 PM UTC

Hi Dan, 

Greetings from Syncfusion support. 

You can disable html display in grid cells by using column.disableHtmlEncode property. Please refer to the below documentation and API to do so. 

Please get back to us, if you need further assistance. 

Thavasianand S. 

Dan Clarke
Replied On June 21, 2019 01:49 PM UTC

So I have to add that to every single one of my controls? Isn't it a bit of a security issue that this isn't set by default? I'm guessing a lot of SyncFusion users don't know about this and most now have XSS vulnerabilities in their systems because of it.

Hariharan J V [Syncfusion]
Replied On June 24, 2019 12:46 PM UTC

Hi Dan, 

Thanks for contacting your update. 

we have considered your request as improvement “Need to provide option to disable html encoding in grid root settings”. It will be included in any of our upcoming release. Until then we appreciate your patience. 

You can now track the current status of your request, review the proposed resolution timeline, and contact us for any further inquiries through this link.  


Dan Clarke
Replied On January 3, 2020 01:12 PM UTC

Hi. I think you've perhaps misunderstood the issue. The issue isn't about HTML encoding - the issue is about allowing Javascript that the end-user has entered into a form to be executed. Regardless of if it's a grid or a textbox etc - Syncfusion isn't sanitising against this. This is a huge security risk.

Balaji Sekar [Syncfusion]
Replied On January 7, 2020 12:44 PM UTC

Hi Dan, 
Thanks for your update. 
By default,  value will be updated what type of text will be entered in the grid because there is no form of conversion performed in grid.  
Here we entered value such as ex: < span><b > value</b></span > when grid editing will update the grid with the same value. 
Please  refer to the below sample and video demonstration. 
Please get back to us, if you need any further assistance. 
Balaji Sekar. 


This post will be permanently deleted. Are you sure you want to continue?

Sorry, An error occured while processing your request. Please try again later.

Please sign in to access our forum

This page will automatically be redirected to the sign-in page in 10 seconds.

Warning Icon You are using an outdated version of Internet Explorer that may not display all features of this and other websites. Upgrade to Internet Explorer 8 or newer for a better experience.Close Icon

Live Chat Icon For mobile
Live Chat Icon