Opened 4 years ago

Last modified 23 months ago

#18708 assigned defect

Client-Side XSS Bug in Grid Filter

Reported by: Davio Owned by: dylan
Priority: high Milestone: 1.14
Component: DojoX Grid Version: 1.9.7
Keywords: Cc:
Blocked By: Blocking:


I noticed this bug in 1.9.7, but other versions may be affected as well.

When you use a filter with an EnhancedGrid?, you can insert some JavaScript? as the value and it will be executed. This is because the value is being displayed at the top of the Filter dialog and isn't properly escaped.

Attachments (1)

filter.png (14.9 KB) - added by Davio 4 years ago.
This will output 'foo' in the JS console.

Download all attachments as: .zip

Change History (7)

Changed 4 years ago by Davio

Attachment: filter.png added

This will output 'foo' in the JS console.

comment:1 Changed 4 years ago by Davio

The problem occurs in file dojox\grid\enhanced\plugins\filter\FilterDefDialog?.js, function updateRuleTitle.

comment:2 Changed 4 years ago by dylan

Milestone: tbd1.11
Owner: changed from Evan to dylan
Status: newassigned

The various dojox/grid implementations are deprecated in favor of dgrid or gridx. That said, it's an XSS issue and should be fixed.

comment:3 Changed 4 years ago by dylan

Priority: undecidedhigh

comment:4 Changed 4 years ago by dylan

Milestone: 1.111.12

Ok, after massive triage, ended up with about 80 tickets for 1.11 and 400 or so for 1.12. That's a bit unrealistic, so first I changed all 1.12 to 1.13 (with the plan to move some forward to the new 1.12. Now, I'm moving some of the 1.11 tickets that are less likely to get done this month without help to 1.11. Feel free to help out in January if you want to see this ticket land in 1.11.

comment:5 Changed 3 years ago by dylan

Milestone: 1.121.13

Ticket planning... move current 1.12 tickets out to 1.13 that likely won't get fixed in 1.12.

comment:6 Changed 23 months ago by dylan

Milestone: 1.131.14
Note: See TracTickets for help on using tickets.