jQuery Grid Plugin - jqGrid - Topic: JS injection

humbol on JS injection

Fri, 21 Dec 2012 12:56:58 +0200

Hello,

Now i understood why it is not by default, however :

'Now when

autoencode

is set to true we encode the data coming from server and not only when we post it (secutity fix)'

you ve data sanitized twice, so you ve to un sanitize data when you receive it.

tony on JS injection

Fri, 21 Dec 2012 12:39:47 +0200

Hello,

Look here

humbol on JS injection

Fri, 21 Dec 2012 11:18:35 +0200

Hello,

I just checked but still for the standard behaviour is doesnt seems logical to me.

If you set autoencode to true, then when you post to the server '

will be converted to '

<' , this means that i ll save '<' in my db. Afterwards, when i rebuild the grid with the data store, my json data will be

{test:'<'} so in the cell grid will appear '<', if you edit and save, the post will be {test:'&lt;'} and so on.

So, it just doesnt seem logical that I ve to un-encode the data in the server side. I ll just want to receive in the server what the user type (then i do what i want with that data), but the grid ve to be consistent.

For the moment what i do, is all the data that came from the server is already html escaped. and whenever i do editGridRow i set it to reloadAfterSubmit:true . This is a workaround that works, but I guess that is not what most people expects from this component.

thanks

tony on JS injection

Fri, 21 Dec 2012 10:25:21 +0200

Hello,

Look at autoencode option in grid settings.

Regards

humbol on JS injection

Fri, 21 Dec 2012 00:11:00 +0200

Hello Tony,

Thanks for the response, in fact i dont remember reading it, if you can pointing that info out i would appreciate.

However, back to the issue, if you write some invalid js line inside the script (i.e <script>xx</script>), then the row is not consistent anymore. Try to edit it afterwards and see.

My point is as follow, this injection or error is in the client side (i can escape things from my server, no prob), but this is the standard behaviour and as you can see even the demos are expossed.

regards,

Humbol

tony on JS injection

Thu, 20 Dec 2012 19:28:31 +0200

Hello,

It seems to me you do not have read the docs in order to see how you can avoid this.

Kind Regards

Tony

humbol on JS injection

Thu, 20 Dec 2012 19:13:55 +0200

Hello,

I have the following problem, whenever the user edit a row with the editGridRow or similar, there are no check of what the info is inserted.

You can check this behaviour in the Jqgrid demos. Row editing -> Basic Example

edit the row and modify the Client column with the following string :

then, when you save it the alert popups. And then if you edit it again the field is empty.

I guess that if we really trust the user and we want that he/she enters html data, then you can define in the editrules something like html:true, but in most cases that we dont trust you should escape js html tags just for showing it into the grid.

thanks in advance.