Opened 12 years ago
Closed 11 years ago
#9173 closed defect (fixed)
XSS hole in Grid
| Reported by: | Bryan Forbes | Owned by: | Bryan Forbes |
|---|---|---|---|
| Priority: | high | Milestone: | 1.3.1 |
| Component: | DojoX Grid | Version: | 1.3.0 |
| Keywords: | Cc: | ||
| Blocked By: | Blocking: |
Description
Right now, the grid just inserts whatever it gets from its "get" function into the node. We need to keep javascript from running in what comes from the "get" function.
Change History (5)
comment:1 Changed 12 years ago by
comment:2 Changed 12 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
comment:3 Changed 12 years ago by
| Resolution: | fixed |
|---|---|
| Status: | closed → reopened |
This breaks dojox/grid/tests/test_change_structure.html. Is there a better way to put buttons in a grid?
comment:4 Changed 12 years ago by
This "feature" needs to be something that can be turned on/off. There are very legitimate scenarios where a developer would want the HTML and JAVASCRIPT code to be run without adding a formatter. In fact, this solution adds a tremendous amount of processing time to the rendering of each cell if you want to have HTML shown in a cell.
Now we are requiring a developer to perform a string replace on the data to convert all '<' symbols back -- not to mention the Grid code had a string replace to convert them to HTML entities prior to the formatter. That's a double hit to rendering performance on each cell render.
comment:5 Changed 11 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | reopened → closed |
This has been fixed.
(In [17359]) * Fixes XSS hole in Grid (refs #9173 !strict).