Results 1 to 10 of 10

Thread: Server side HTML encoding with EXT JS front end

  1. #1

    Default Server side HTML encoding with EXT JS front end

    Hi,

    Recently I've been playing around with various HTML encoding of values on the server to avoid things like XSS attacks. Before we go the best route, which is probably checking and sanitizing all input on the server, I've been using the ESAPI library's encodeForHTML. Everything works fine until I go to load an ext form with the data.

    As an example, lets say we have an address stored in a db as "111 East Kilborn St". I encode it on the server and it becomes
    Code:
    111#x20EAST#x20KILBORN
    Thats the hex value. I send this down as JSON just fine to EXT-JS. It appears fine in our grid, but when we load that piece of data into an ext form field like a textbox it actually shows up as
    Code:
    111#x20EAST#x20KILBORN
    , when I want those hex characters to represent spaces.

    Any idea why this is happening? Is there a way to get it to appear much like the grid and show up almost as decoded? But without compromising security?

  2. #2

    Default

    Quote Originally Posted by icantthinkofausername View Post
    Hi,

    Recently I've been playing around with various HTML encoding of values on the server to avoid things like XSS attacks. Before we go the best route, which is probably checking and sanitizing all input on the server, I've been using the ESAPI library's encodeForHTML. Everything works fine until I go to load an ext form with the data.

    As an example, lets say we have an address stored in a db as "111 East Kilborn St". I encode it on the server and it becomes "111 EAST KILBORN". I send this down as JSON just fine to EXT-JS. It appears fine in our grid, but when we load that piece of data into an ext form field like a textbox it actually shows up as "111 EAST KILBORN".

    Any idea why this is happening? Is there a way to get it to appear much like the grid and show up almost as decoded? But without compromising security?
    Oops. The formatting on the forums cleaned up my example .

    On the way down from the DB it turns into
    Code:
    111#x20;EAST#x20;KILBORN
    where that #code is the hex html encoding of space. This is also showed in the textbox, when I want it to show the spaces.

  3. #3
    Ext JS Premium Member
    Join Date
    Jan 2010
    Location
    Austria
    Posts
    87

    Default

    have you tried this with a editorGrid? (new Ext.grid.EditorGrid and add editor: new Ext.form.TextField({}) to your column
    definition)
    just to check if the problem is load stuff of your form

    maybe you have configure a maxLength in you form and the text is to long

  4. #4

    Default

    Hmm sorry it wasnt just the length, I forgot to wrap the example in code tags!

  5. #5
    Ext JS Premium Member
    Join Date
    Jan 2010
    Location
    Austria
    Posts
    87

    Default

    the Formfield setValue function just updated the dom object of the FormField.
    If rendered to a GridPanel, a Ext.XTemplate is applied somewhere.

    never worked with Templates so i can not help you here. but i'm pretty sure, defining the right tpl config
    of your Form elements will fix the problem

  6. #6

    Default

    I'm beginning to think this is a javscript thing more than EXT. I'm suprised I'm the only one to encounter it

  7. #7

    Default

    Well,

    It looks like part of it is my ignorance. JavaScript encoding is different than HTML encoding. The problem at the moment almost seems like a design one though.

    It more or less turns into how do I encodeForHtml for things like grids, yet encodeForJavascript for things like textboxes.

  8. #8

    Default

    Have you found any good solution to your problem? I'm encountering the same thing now..

  9. #9

    Default

    Like I said it usually boils down to a design problem.

    Textboxes do not html decode (at least when set through javascript) while things like grids (built from html) display fine. Someone gave me a javascript htmlDecode that seemed to do the job (I overrided the textbox setValue and some other components to use it). There is probably a better js function, but this seems to work for all intensive purposes.
    Attached Files Attached Files

  10. #10

    Default

    Thanks for the tip. I alternated between encoding for HTML and encoding for JavaScript at the server, and found that encoding for HTML is the better way. Grids linked to stores will display without issue. To decode the HTML entities, another thread in this forum suggested making use of the browser's own HTML encoder/decoder to do it, which might be the "better js function" that you're looking for.

    EDIT: The thread link above isn't obvious -- http://www.sencha.com/forum/showthre...L-Entities-2.0

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •