Purchased phpgrid.org and have been using it only for some simple projects.
I saw an earlier post on how to show HTML as unformatted in the grid (I guess he meant meaning e.g. if a cell had <b>string</b> instead of showing a bold string, but to show literal <b>string</b> in the grid). It seems like by default phpgrid shows html code rendered – did not seem like proper behavior for a data entry tool.
So, lets say a cell already has this buried in its contents:
alert(‘you got hacked’);
You can see that this is a major vulnerability, especially if I was editing a cell with a lot of contents and some JS buried in there. the JS is executed from the page. So the JS could have done anything – call home, etc.
Problem 2: The script tags disappeared after 1 save. But since the role of phpgird is just to edit strings and not make judgement on what I edit, it should not be filtering out my content.
Neither Problem 1 or Problem 2 is proper behavior – PHPGrid library should just allow us to edit contents, not render this (especially not render the JS), and not modify the contents on its own.
Proper behavior is shown by other software like phpmyadmin or adminer – where contents are shown as just strings without any rendering. Any modifications are not filtered by default.
Experts at PhpGrid – any views? Did I miss a setting that will turn off rendering and auto content modification?
How useful was this discussion?
Click on a star to rate it!
Average rating / 5. Vote count:
We are sorry that this post was not useful for you!
Let us improve this post!
Thanks for your feedback!