jQuery Grid Plugin - jqGrid - Topic: Automatic escape for cells content

melpomene on Automatic escape for cells content

Mon, 18 Jun 2012 16:45:17 +0300

Has the issue with XXS been solved somehow yet?

I noticed that it is possible to escape the data before it is sent to the server, but it is stil possible to insert javascripts on the clientside.

Is there a nice way of escaping the output before it is rendered? http://www.trirand.com/blog/jq.....grid.html# Try adding <script>alert("XXS");</script> in the input box.

tony on Automatic escape for cells content

Mon, 31 Aug 2009 10:56:39 +0300

Hello,

You must use the 3.5 version. I recommend to use the last one from GitHub.

Best Regards

Tony

joseisme on Automatic escape for cells content

Mon, 24 Aug 2009 14:12:09 +0300

Hello,

I also have this XSS problem. I would like to have jqgrid html-encode/escape bound data so that it cannot execute when it is displayed in jqgrid.

I am sorry I dont understand your reply Tony: is the option to encode data from the server available in version 3.4.4? or 3.5? What version must I use to have this feature?

Thanks,

-Jose

tony on Automatic escape for cells content

Thu, 13 Aug 2009 01:07:43 +0300

Hello,

Thanks - added option to encode the server data. Also if you set autoencode to true the data from server will be encoded.

Regards

Tony

fab2008 on Automatic escape for cells content

Mon, 10 Aug 2009 20:58:16 +0300

I read about that options, but it is for posting data to the server. What I mean in my previous post is the ability to include unescaped content in a cell. For example, suppose that your server side script returns a string like <script>alert('hello world')</script>, when your jqgrid is rendered the script is executed.

At this time, the only way to prevent such similar xss is to escape datas server side, or using a custom formatter, but this would mean that you can not use any other formatter for that cell.

Bye.

P.S. I'm trying to extend standard formatters by writing some other functions. I'd like to make something like extending that object, in this way I simply have to include my file and use my formatter in the same way of the bultin ones. One problem, I'm not very skilled with javascript, can somone help me with a link to some doc?

tony on Automatic escape for cells content

Mon, 10 Aug 2009 05:21:57 +0300

Hello,

You can use the autoencode option

http://www.trirand.com/jqgridw.....ki:options

Regards

Tony

fab2008 on Automatic escape for cells content

Sat, 08 Aug 2009 18:35:36 +0300

I love your plugin, I found it only two days ago and without any knowledge of it or jQuery I built a beautiful grid with a little effort. Before it I tried a lot of grid, for example YUI datatable, Dojogrid and others, but yours is the best, either the product itself and the documentation accurate and exhaustive.

IMHO the only feature that's missing (or maybe that I was not able to find) is automatic escape of cells content. It will be nice if we can have an option in colModel (such as escape) that prevent characters like < and > to be rendererd as html. Ideal thing is to have a jQuery('#idcell').text(content) call in an automated way.

I ask this because I use Zend Framework on server side, so in my db tables user content is stored as is, and then when used in webpages is escaped by Zend_View_Helper_Escape that does the hard job. In this way my model returns data as arrays with unescaped content. Now when I use this methods with a json helper to feed your grid if I have HTML code interpretated in cells, or even worse javascript...

I would like to keep my MVC models intact and execute escape of data using javascript, or even better directly with your grid.

By now I will use custom formatter feature, but in the future this is a nice improvment to your beautiful piece of software.

Regards