Opened 4 years ago
Last modified 2 years ago
#18708 assigned defect
Client-Side XSS Bug in Grid Filter
| Reported by: | Davio | Owned by: | dylan |
|---|---|---|---|
| Priority: | high | Milestone: | 1.14 |
| Component: | DojoX Grid | Version: | 1.9.7 |
| Keywords: | Cc: | ||
| Blocked By: | Blocking: |
Description
I noticed this bug in 1.9.7, but other versions may be affected as well.
When you use a filter with an EnhancedGrid?, you can insert some JavaScript? as the value and it will be executed. This is because the value is being displayed at the top of the Filter dialog and isn't properly escaped.
Attachments (1)
Change History (7)
Changed 4 years ago by
| Attachment: | filter.png added |
|---|
comment:1 Changed 4 years ago by
The problem occurs in file dojox\grid\enhanced\plugins\filter\FilterDefDialog?.js, function updateRuleTitle.
comment:2 Changed 4 years ago by
| Milestone: | tbd → 1.11 |
|---|---|
| Owner: | changed from Evan to dylan |
| Status: | new → assigned |
The various dojox/grid implementations are deprecated in favor of dgrid or gridx. That said, it's an XSS issue and should be fixed.
comment:3 Changed 4 years ago by
| Priority: | undecided → high |
|---|
comment:4 Changed 4 years ago by
| Milestone: | 1.11 → 1.12 |
|---|
Ok, after massive triage, ended up with about 80 tickets for 1.11 and 400 or so for 1.12. That's a bit unrealistic, so first I changed all 1.12 to 1.13 (with the plan to move some forward to the new 1.12. Now, I'm moving some of the 1.11 tickets that are less likely to get done this month without help to 1.11. Feel free to help out in January if you want to see this ticket land in 1.11.
comment:5 Changed 3 years ago by
| Milestone: | 1.12 → 1.13 |
|---|
Ticket planning... move current 1.12 tickets out to 1.13 that likely won't get fixed in 1.12.
comment:6 Changed 2 years ago by
| Milestone: | 1.13 → 1.14 |
|---|
This will output 'foo' in the JS console.