Forum
Log In
Home
Topic RSS
12:34
18/03/2014
Offline
Hi, I am using a software provided by HP called Fortify
It scans through code as well as through scripts and reports potential security issues
It has found 6 critical issues with jqGrid version 4.6.0
Dynamic Code Evaluation: Code Injection (Input Validation and Representation, Data flow)
- The file grid.celledit.js interprets unvalidated user input as source code on line 53. Interpreting user-controlled instructions at run-time can allow attackers to execute malicious code.
- The file grid.celledit.js interprets unvalidated user input as source code on line 87. Interpreting user-controlled instructions at run-time can allow attackers to execute malicious code.
- The file jquery.jqGrid.js interprets unvalidated user input as source code on line 9959. Interpreting user-controlled instructions at run-time can allow attackers to execute malicious code.
- The file jquery.jqGrid.js interprets unvalidated user input as source code on line 9993. Interpreting user-controlled instructions at run-time can allow attackers to execute malicious code.
- The file jquery.jqGrid.src.js interprets unvalidated user input as source code on line 9959. Interpreting user-controlled instructions at run-time can allow attackers to execute malicious code.
- The file jquery.jqGrid.src.js interprets unvalidated user input as source code on line 9993. Interpreting user-controlled instructions at run-time can allow attackers to execute malicious code.
For us it is very important to have secure code "live" otherwise we cannot use it. How are the chances this issues can be solved?
If you need any details please feel free to contact me!
12:37
Moderators
30/10/2007
Offline
Hello,
The warnings are actually 2 in cell edit module only and they refer to setTimeout which is used with zero delay – i.e
setTimeout(function(){…}, 0);
Your analyzes software think that this is dangerous, but actually it is not.
I can asure you that I will set the timeout to 1 something like this.
setTimeout(function(){…}, 1);
Just fixed the code in github.
Regards
For professional UI suites for Java Script and PHP visit us at our commercial products site - guriddo.net - by the very same guys that created jqGrid.
12:47
18/03/2014
Offline
Thanks tony for the reply and your support
I will run the scan against the changed code and post the results in this thread
Br Marcin
12:10
Moderators
30/10/2007
Offline
Hello,
Thanks. Will be interested for me too.
Kind Regards
Tony
For professional UI suites for Java Script and PHP visit us at our commercial products site - guriddo.net - by the very same guys that created jqGrid.
Most Users Ever Online: 715
Currently Online:
39 Guest(s)
Currently Browsing this Page:
1 Guest(s)
Top Posters:
OlegK: 1255
markw65: 179
kobruleht: 144
phicarre: 132
YamilBracho: 124
Renso: 118
Member Stats:
Guest Posters: 447
Members: 11373
Moderators: 2
Admins: 1
Forum Stats:
Groups: 1
Forums: 8
Topics: 10592
Posts: 31289
Newest Members:
, razia, Prankie, psky, praveen neelam, greg.valainis@pa-tech.comModerators: tony: 7721, Rumen[Trirand]: 81
Administrators: admin: 66
