Potential Security Vulnerability – Inadvertent Javascript Execution

QuestionsPotential Security Vulnerability – Inadvertent Javascript Execution
ken asked 4 weeks ago

Hi,

(TLDR: phpgrid causes browser to render HTML inside cell contents, causing javascript injection / execution vulnerability. Is there a setting that turns this off?)

Purchased phpgrid.org and have been using it only for some simple projects.

I saw an earlier post on how to show HTML as unformatted in the grid (I guess he meant meaning e.g. if a cell had <b>string</b> instead of showing a bold string, but to show literal <b>string</b> in the grid). It seems like by default phpgrid shows html code rendered – did not seem like proper behavior for a data entry tool.

That got me curious, so I took it a step further – what if there was javascript in the cell contents? Turned out there is two behaviors which I would think is either not good design, a bug, a security vulnerability or maybe I missed some configuration in the docs – which maybe my fault!

So, lets say a cell already has this buried in its contents:

alert(‘you got hacked’);

https://imgur.com/a/ogoBC2s

Problem 1: If I double click to edit the cell, and then save (with the JS still in the cell), the javascript actually get executed. (a pop up came out)

You can see that this is a major vulnerability, especially if I was editing a cell with a lot of contents and some JS buried in there. the JS is executed from the page. So the JS could have done anything – call home, etc.

Problem 2: The script tags disappeared after 1 save. But since the role of phpgird is just to edit strings and not make judgement on what I edit, it should not be filtering out my content.

Neither Problem 1 or Problem 2 is proper behavior – PHPGrid library should just allow us to edit contents, not render this (especially not render the JS), and not modify the contents on its own.

Proper behavior is shown by other software like phpmyadmin or adminer – where contents are shown as just strings without any rendering. Any modifications are not filtered by default.

 

Experts at PhpGrid – any views? Did I miss a setting that will turn off rendering and auto content modification?

 

 

Your Answer

1 + 4 =

OR, enter

Attach code here and paste link in question.
Attach screenshot here and paste link in question.



How useful was this discussion?

Click on a star to rate it!

Average rating / 5. Vote count:

As you found this post useful...

Follow us on social media!

We are sorry that this post was not useful for you!

Let us improve this post!