We use cookies to give you the best experience on our website. If you continue to browse, then you agree to our privacy policy and cookie policy. (Last updated on: June 24, 2019).
Unfortunately, activation email could not send to your email. Please try again.
Syncfusion Feedback

Big problem with all controls (XSS, but not only)

Thread ID:

Created:

Updated:

Platform:

Replies:

148260 Oct 11,2019 09:19 PM UTC Oct 25,2019 09:33 AM UTC ASP.NET Core - EJ 2 2
loading
Tags: Text Box
adgr
Asked On October 11, 2019 09:19 PM UTC

I have big problem with Syncfusion controls (e.g. with TextBox control).
When value in TextBox is </script> page output is completely messy.

Output from default Asp Net Core control is ok, but output from Syncfusion TextBox is "broken" - (like on screenshot below):


It's not only problem with <script> or </script> text. Single quotation mark (") can broke output. It's because your library generate javascript without escaping values from model fields. For example:

var TextBoxhjmrudszwgx=new ejs.inputs.TextBox({
  "enableRtl": false,
  "value": "</script>"
});
TextBoxhjmrudszwgx.appendTo("#editText"); 

Or for field value with quotation mark:

var TextBoxhjmrudszwgx=new ejs.inputs.TextBox({
  "enableRtl": false,
  "value": """
});
TextBoxhjmrudszwgx.appendTo("#editText"); 

In my opinion it should be escaped.

What am I doing wrong? What I have to do to make it work properly?

Ma sample project is in attachment.

Attachment: Xss_be9ec3e9.zip

Sureshkumar P [Syncfusion]
Replied On October 16, 2019 12:51 PM UTC

Hi adgr, 

Greetings from Syncfusion support. 

We are validating your query and shared code block with image. We will update the further details in three business day (10/21/2019). We appreciate your patience until then. 

Regards, 
Sureshkumar P 


Sureshkumar P [Syncfusion]
Replied On October 25, 2019 09:33 AM UTC

Hi adgr, 
 
Sorry for the delay. 
 
Query 1 : special character (*) issue  
 
we have ignore special character (‘,*) to use escape character to resolve the issue , please refer the below  
 
“\””   but it is not applicable script tag 
 
Query 2: value in TextBox is </script> page output is completely messy 
 
We have considered this as a bug and promised to provide fix in our volume 4 release, 2019 scheduled on December first week. Please find the reference links below    
    
 
Regards, 
Sureshkumar P 


CONFIRMATION

This post will be permanently deleted. Are you sure you want to continue?

Sorry, An error occured while processing your request. Please try again later.

Please sign in to access our forum

This page will automatically be redirected to the sign-in page in 10 seconds.

Warning Icon You are using an outdated version of Internet Explorer that may not display all features of this and other websites. Upgrade to Internet Explorer 8 or newer for a better experience.Close Icon

Live Chat Icon For mobile
Live Chat Icon