Opened 10 years ago

Closed 10 years ago

#9173 closed defect (fixed)

XSS hole in Grid

Reported by: Bryan Forbes Owned by: Bryan Forbes
Priority: high Milestone: 1.3.1
Component: DojoX Grid Version: 1.3.0
Keywords: Cc:
Blocked By: Blocking:


Right now, the grid just inserts whatever it gets from its "get" function into the node. We need to keep javascript from running in what comes from the "get" function.

Change History (5)

comment:1 Changed 10 years ago by Bryan Forbes

(In [17359]) * Fixes XSS hole in Grid (refs #9173 !strict).

comment:2 Changed 10 years ago by Bryan Forbes

Resolution: fixed
Status: newclosed

(In [17360]) * Fixed XSS hole in Grid (fixes #9173 !strict).

comment:3 Changed 10 years ago by Mignon Belongie

Resolution: fixed
Status: closedreopened

This breaks dojox/grid/tests/test_change_structure.html. Is there a better way to put buttons in a grid?

comment:4 Changed 10 years ago by jfirebau

This "feature" needs to be something that can be turned on/off. There are very legitimate scenarios where a developer would want the HTML and JAVASCRIPT code to be run without adding a formatter. In fact, this solution adds a tremendous amount of processing time to the rendering of each cell if you want to have HTML shown in a cell.

Now we are requiring a developer to perform a string replace on the data to convert all '<' symbols back -- not to mention the Grid code had a string replace to convert them to HTML entities prior to the formatter. That's a double hit to rendering performance on each cell render.

comment:5 Changed 10 years ago by Nathan Toone

Resolution: fixed
Status: reopenedclosed

This has been fixed.

Note: See TracTickets for help on using tickets.