1. #1
    Sencha Premium Member
    Join Date
    Apr 2007
    Posts
    65
    Vote Rating
    1
    Hani is on a distinguished road

      0  

    Default Grid editing security

    Grid editing security


    Right now I can enter arbitrary html/js into an editable grid, so in the editable grid demo for instance, on firefox, I can enter this for a plant name:

    <script>alert('vulnerable');</script>

    Any plans on having values correctly escaped in editable grids? After all, <foo> is a valid name, and is input by users, so there's no reason to treat it as markup.

  2. #2
    Sencha User
    Join Date
    Mar 2007
    Posts
    7,854
    Vote Rating
    4
    tryanDLS is on a distinguished road

      0  

    Default


    I would think you could handle this with a regex validator on the field or a vtype.-

  3. #3
    Sencha Premium Member
    Join Date
    Apr 2007
    Posts
    65
    Vote Rating
    1
    Hani is on a distinguished road

      0  

    Default


    This isn't really a good fix, as it's something a bit more fundamental than that. The question is, is markup allowed in editable grids by intent, or accident? Very few (well, none, outside of techie admin type functionality) input elements allow markup, let alone random javascript that's executed on submit.

  4. #4
    Sencha User
    Join Date
    Mar 2007
    Posts
    7,854
    Vote Rating
    4
    tryanDLS is on a distinguished road

      0  

    Default


    It's up to you to validate your input. There's nothing to prevent you from typing script or markup into a generic HTML input or textarea and submitting it. You have to code for it, or for example .Net throws an exception when seeing script in input elements.

  5. #5
    Sencha Premium Member
    Join Date
    Apr 2007
    Posts
    65
    Vote Rating
    1
    Hani is on a distinguished road

      0  

    Default


    I dont mean to be rude, but I think you're sort of missing the point

    The issue isnt just about what is and isnt allowed, it's that by default, ext is XSS vulnerable. See http://en.wikipedia.org/wiki/Cross-site_scripting

    The current behaviour forces users to explicitly work around this issue, because ext will execute any malicious scripts entered by the user, and there's no obvious way to disable that.

    The correct solution (and I hope others will chime in to this thread, agreeing or not!) is to have some kind of html escaping flag, so when I enter <, it's converted to &lt; when displayed, and so on.

    Failing that, I'd happily accept a proposed solution that allows me to plug in such behaviour.

    I'd be surprised if any editable grid users expect or want to let their users enter <script> tags in grid cells.

  6. #6
    Sencha User jack.slocum's Avatar
    Join Date
    Mar 2007
    Location
    Tampa, FL
    Posts
    6,955
    Vote Rating
    17
    jack.slocum will become famous soon enough jack.slocum will become famous soon enough

      0  

    Default


    Hani,

    There is a built in renderer Ext.util.Format.htmlEncode which will do what you described (&lt;).
    Jack Slocum
    Ext JS Founder
    Original author of Ext JS 1, 2 & 3.
    Twitter: @jackslocum
    jack@extjs.com

  7. #7
    Sencha Premium Member
    Join Date
    Apr 2007
    Posts
    65
    Vote Rating
    1
    Hani is on a distinguished road

      0  

    Default


    Perfect, thanks!

  8. #8
    Sencha Premium Member
    Join Date
    Apr 2007
    Posts
    65
    Vote Rating
    1
    Hani is on a distinguished road

      1  

    Default


    The only way I can fix this issue cleanly across all my editors is by modifying the ext source itself, and adding this line in GridView's doRender function, right after the renderer has been called.

    Code:
    if(p.value != undefined && typeof r.data[c.name] == 'string') p.value = Ext.util.Format.htmlEncode(p.value);
    This obviously isnt ideal as it means that I have to modify the ext source itself. That particular code block is not very subclass friendly either, so subclassing isnt really a good option.

    Is there any hope of having this added as a configuration option, or some refactoring being done so I can at least easily hook in this 'post renderer' behaviour in a subclass?

    I can't add it to the default renderer alone since many tables use their own rendering (adding qtips and whatnot). I can't add it to every grid since its not a scalable solution and other developers are likely to forget to do it sometimes.

  9. #9
    Sencha User jack.slocum's Avatar
    Join Date
    Mar 2007
    Location
    Tampa, FL
    Posts
    6,955
    Vote Rating
    17
    jack.slocum will become famous soon enough jack.slocum will become famous soon enough

      0  

    Default


    You could try wrapping your renderers on the fly via a ColumnModel subclass.

    Code:
    SecureColumnModel = Ext.extend(Ext.grid.ColumnModel, {
         getRenderer : function(col){
             var c = this.config[col];
             if(!c.secureRenderer){
                 var fn = c.renderer;
                 if(!fn){
                    fn = Ext.grid.ColumnModel.defaultRenderer;
                 }
                 c.secureRenderer = function(){
                     return Ext.util.Format.htmlEncode(fn.apply(window, arguments));
                 }
            }
            return c.secureRenderer;
         }
    });
    Note, this was typed in here so may need some tweaking.
    Jack Slocum
    Ext JS Founder
    Original author of Ext JS 1, 2 & 3.
    Twitter: @jackslocum
    jack@extjs.com

  10. #10
    Ext User 72's Avatar
    Join Date
    Apr 2007
    Location
    Czech republic, EU
    Posts
    152
    Vote Rating
    0
    72 is on a distinguished road

      0  

    Default


    How hard it is to add config option to do that? Even if it will be false by default, who knows and who wants can easily switch (enable) it. I understand of performance, but i think that security is on first place.
    72

Turkiyenin en sevilen filmlerinin yer aldigi xnxx internet sitemiz olan ve porn sex tarzi bir site olan mobil porno izle sitemiz gercekten dillere destan bir durumda herkesin sevdigi bir site olarak tarihe gececege benziyor. Sitenin en belirgin ozelliklerinden birisi de Turkiyede gercekten kaliteli ve muntazam, duzenli porno izle siteleri olmamasidir. Bu yuzden iste. Ayrica en net goruntu kalitesine sahip adresinde yayinlanmaktadir. Mesela diğer sitelerimizden bahsedecek olursak, en iyi hd porno video arşivine sahip bir siteyiz. "The Best anal porn videos and slut anus, big asses movies set..."