We use cookies to give you the best experience on our website. If you continue to browse, then you agree to our privacy policy and cookie policy. Image for the cookie policy date

No sanitisation by default!

Wow, I just noticed that in any of my form fields, if I enter javascript - eg. "<script>alert('hello')</script>" - if that gets displayed in a gridview, it'll execute that javascript and show a popup alert box! Surely this should sanitise by default out of this box. This is XSS 101! :(

6 Replies

DC Dan Clarke June 21, 2019 05:18 AM

Yikes, and even in this very forum - if I edit my initial post - it pops up with a 'hello' message box because I put javascript in the post! Not good.

Is there a way I can get Syncfusion to globally sanitize all my controls in my Syncfusion controls in my Angular app?

TS Thavasianand Sankaranarayanan Syncfusion Team June 21, 2019 08:44 AM

Hi Dan, 

Greetings from Syncfusion support. 

You can disable html display in grid cells by using column.disableHtmlEncode property. Please refer to the below documentation and API to do so. 

Please get back to us, if you need further assistance. 

Thavasianand S. 

DC Dan Clarke June 21, 2019 08:49 AM

So I have to add that to every single one of my controls? Isn't it a bit of a security issue that this isn't set by default? I'm guessing a lot of SyncFusion users don't know about this and most now have XSS vulnerabilities in their systems because of it.

HJ Hariharan J V Syncfusion Team June 24, 2019 07:46 AM

Hi Dan, 

Thanks for contacting your update. 

we have considered your request as improvement “Need to provide option to disable html encoding in grid root settings”. It will be included in any of our upcoming release. Until then we appreciate your patience. 

You can now track the current status of your request, review the proposed resolution timeline, and contact us for any further inquiries through this link.  


DC Dan Clarke January 3, 2020 08:12 AM

Hi. I think you've perhaps misunderstood the issue. The issue isn't about HTML encoding - the issue is about allowing Javascript that the end-user has entered into a form to be executed. Regardless of if it's a grid or a textbox etc - Syncfusion isn't sanitising against this. This is a huge security risk.

BS Balaji Sekar Syncfusion Team January 7, 2020 07:44 AM

Hi Dan, 
Thanks for your update. 
By default,  value will be updated what type of text will be entered in the grid because there is no form of conversion performed in grid.  
Here we entered value such as ex: < span><b > value</b></span > when grid editing will update the grid with the same value. 
Please  refer to the below sample and video demonstration. 
Please get back to us, if you need any further assistance. 
Balaji Sekar. 

Live Chat Icon For mobile
Up arrow icon