Jan 28, 2010, 11:39 AM
[CLOSED] Security vulnerability: Javascript injection attack in grid editors
Hi,
I was surprised to see that I can type html tags into grid cell editors although my website has form violation turned on.
Lets say I modify your "array grid" example so that the company column becomes editable.
Instead, the grid cell gets updated and now shows a hyperlink to your coolite website.
Is this really secure or could some bad guy exploit this and hack into our website?
Please advise.
I was surprised to see that I can type html tags into grid cell editors although my website has form violation turned on.
Lets say I modify your "array grid" example so that the company column becomes editable.
<ext:Column ColumnID="Company" Header="Company" Sortable="true" DataIndex="company">
<Editor>
<ext:TextField ID = "txtCompany" runat = "server" />
</Editor>
</ext:Column>
Now I start editing the value and type the following into the editor:<a href="http://www.ext.net">click me</a>
I was expecting that - once the editor closes - I get a http error 500 (dangerous form value).Instead, the grid cell gets updated and now shows a hyperlink to your coolite website.
Is this really secure or could some bad guy exploit this and hack into our website?
Please advise.