No sanitisation by default!

6 Replies
4 Participants

Created by
DC Dan Clarke

Platform
Angular - EJ 2

Platform
Angular - EJ 2

Control
Grid

Created On
Jun 21, 2019 10:13 AM UTC

Last Activity On
Jan 7, 2020 12:44 PM UTC

Want to subscribe?
SIGN IN

Wow, I just noticed that in any of my form fields, if I enter javascript - eg. "<script>alert('hello')</script>" - if that gets displayed in a gridview, it'll execute that javascript and show a popup alert box! Surely this should sanitise by default out of this box. This is XSS 101! :(

6 Replies

DC Dan Clarke June 21, 2019 10:18 AM UTC

Yikes, and even in this very forum - if I edit my initial post - it pops up with a 'hello' message box because I put javascript in the post! Not good.

Is there a way I can get Syncfusion to globally sanitize all my controls in my Syncfusion controls in my Angular app?

TS Thavasianand Sankaranarayanan Syncfusion Team June 21, 2019 01:44 PM UTC

Hi Dan,

Greetings from Syncfusion support.

You can disable html display in grid cells by using column.disableHtmlEncode property. Please refer to the below documentation and API to do so.

https://ej2.syncfusion.com/angular/documentation/grid/cell/#displaying-html-content

https://ej2.syncfusion.com/angular/documentation/api/grid/column/#disablehtmlencode

Please get back to us, if you need further assistance.

Regards,

Thavasianand S.

DC Dan Clarke June 21, 2019 01:49 PM UTC

So I have to add that to every single one of my controls? Isn't it a bit of a security issue that this isn't set by default? I'm guessing a lot of SyncFusion users don't know about this and most now have XSS vulnerabilities in their systems because of it.

HJ Hariharan J V Syncfusion Team June 24, 2019 12:46 PM UTC

Hi Dan,

Thanks for contacting your update.

we have considered your request as improvement “Need to provide option to disable html encoding in grid root settings”. It will be included in any of our upcoming release. Until then we appreciate your patience.

You can now track the current status of your request, review the proposed resolution timeline, and contact us for any further inquiries through this link.

https://www.syncfusion.com/feedback/7077/need-to-provide-option-to-disable-html-encoding-globally

Regards,

Hariharan

DC Dan Clarke January 3, 2020 01:12 PM UTC

Hi. I think you've perhaps misunderstood the issue. The issue isn't about HTML encoding - the issue is about allowing Javascript that the end-user has entered into a form to be executed. Regardless of if it's a grid or a textbox etc - Syncfusion isn't sanitising against this. This is a huge security risk.

See XSS in the OWASP Top 10... https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf, and here: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html,

BS Balaji Sekar Syncfusion Team January 7, 2020 12:44 PM UTC

Hi Dan,

Thanks for your update.

By default, value will be updated what type of text will be entered in the grid because there is no form of conversion performed in grid.

Here we entered value such as ex: < span><b > value</b></span > when grid editing will update the grid with the same value.

Please refer to the below sample and video demonstration.

Sample link: https://stackblitz.com/edit/angular-vbvv4a-9kviuh?file=app.component.html

Video link : https://www.syncfusion.com/downloads/support/forum/145432/ze/video-1409875135

Please get back to us, if you need any further assistance.

Regards,

Balaji Sekar.