BUG in Datatables - Security Vulnerability

BUG in Datatables - Security Vulnerability

saurabh_sethsaurabh_seth Posts: 9Questions: 0Answers: 0
edited August 2012 in Bug reports
I am using Datatables ediatable feature in my project...came across a serious bug in it...

Access below link of Datatables editable :

http://jquery-datatables-editable.googlecode.com/svn/trunk/index.html

Double click on any cell to update its contents.Type below

alert("hello");

Hit Enter.It will pop up the alert message.This is serious threat as cross site scripting.

AnyOne can help me to avoid this.

Replies

  • allanallan Posts: 63,498Questions: 1Answers: 10,470 Site admin
    I'd absolutely agree that is a serious issue - however, that the editable plug-in is third part software and not part of the DataTables project. It is the editable plug-in, rather than DataTables core which has this problem. I'd suggest opening an issue on the editable plug-in's bug tracker.

    Regards,
    Allan
  • saurabh_sethsaurabh_seth Posts: 9Questions: 0Answers: 0
    Hi Allan,

    Thanks for quick response.Actually I am using datatables editable(i.e jquery.dataTables.editable) using makeEditable.

    Is this a third party software which is integrated in Datatables? I thought its one of the great features of datatables.

    Can you please provide a link/url where I can open this issue?

    OR

    Any suggestion you can provide to avoid this.


    Thanks.
  • allanallan Posts: 63,498Questions: 1Answers: 10,470 Site admin
    Editor is the "official" editing plug-in for DataTables and is fully supported as part of this project and well has having professional support options available: http://editor.datatables.net .

    > Can you please provide a link/url where I can open this issue?

    You provided most of it yourself :-) http://jquery-datatables-editable.googlecode.com . Basically the HTML code just needs to be escaped at some point.

    Allan
  • saurabh_sethsaurabh_seth Posts: 9Questions: 0Answers: 0
    Thanks for the info Allan.

    Yes I tried that.Actually it works if I later access the page.

    But when I edit a cell..update request goes to my controller and from there I am returning the entered value of text area using below.

    PrintWriter out = response.getWriter();
    out.print();
    response.flushBuffer();

    Then it shows a pop-up...
  • saurabh_sethsaurabh_seth Posts: 9Questions: 0Answers: 0
    I have tried below as well but still it shows the pop-up..

    PrintWriter out;
    out = response.getWriter();
    out.write();
  • allanallan Posts: 63,498Questions: 1Answers: 10,470 Site admin
    I would think that the HTML escaping needs to be done just before the cell value is written, or possibly your server should reject inputs with , etc. DataTables is just doing cell.innerHTML = valueGiven;. So if the value given has HTML in it, that will be written into the cell.

    Allan
  • saurabh_sethsaurabh_seth Posts: 9Questions: 0Answers: 0
    Actually, I would expect that it should display the cell value what user has entered, i.e, alert("hello");

    and ofcourse without the pop-up.

    Isnt it possible to manipulate the data of escaping before value is sent back from the controller?
    I tried escaping '<' with '<' and so on but still it show a pop-up.

    Problem with escaping before cell value is written is that how to get id of the textarea which is generated after user double clicks on the cell.

    I am struggling to achieve this for my other requirement,i.e to integrate Jspell Checker plugin to the textareas in Editable.To achieve that I need to have the id of the dynamically generated textarea.

    Can you please help how to achieve that?
  • allanallan Posts: 63,498Questions: 1Answers: 10,470 Site admin
    > Actually, I would expect that it should display the cell value what user has entered

    The problem is that it is displaying what they put in, and they put in HTML! What I think you want it to display is:

    > alert("hello");

    > Isnt it possible to manipulate the data of escaping before value is sent back from the controller?

    One option might be to use mRender to HTML encode the string before it is displayed. Thinking about it, that's probably what I would try.

    Allan
  • saurabh_sethsaurabh_seth Posts: 9Questions: 0Answers: 0
    Allan,

    But don't you think mRender will call after the pop up comes up.Because as soon as value is returned from my controller class pop up comes up.
  • allanallan Posts: 63,498Questions: 1Answers: 10,470 Site admin
    mRender is called before the data is put into the document and there for provides the opportunity to escape the HTML.

    Allan
  • saurabh_sethsaurabh_seth Posts: 9Questions: 0Answers: 0
    Hi Allan,

    I tried using mRender.but I am not able to make it work.Below is the sample code..

    "aoColumns":[
    {"mDataProp": "rowId","bVisible":false},
    {"mDataProp": "col1","bVisible":false,"aTargets": [ 1 ]},
    {"mDataProp": "col2","bVisible":false,"aTargets": [ 2 ]},
    {"mDataProp": "col3","sWidth": "100px"},
    {"sName" :"col4",
    "sClass": "editor_disabled","sWidth": "300px",
    "mRender": function ( data, type, full ) {
    return "SOME DUMMY TEXT";}
    },
    {"fnRender": function( obj )
    {
    return "HELLO";
    },"bSortable":false,"sWidth": "130px"},
    {"mDataProp": "col6",
    "sClass": "editor_disabled","sWidth": "120px"},
    {"fnRender": function( obj )
    {
    return "WORLD";
    },"bUseRendered": false,"sWidth": "120px"},
    {"mDataProp": "col8","sWidth": "100px"},
    {"mDataProp": "col9","bVisible":false}
    ]
    }).makeEditable({
    sUpdateURL:"updateURL.do"
    ,"aoColumns": [
    null
    ,{"type": "textarea",
    "submit":"Save",
    "cssclass":"textArMsg",
    }
    ,null
    ,{"mDataProp": "col6",
    "type": "select",
    "submit": "Save"
    }
    ,null
    ,null
    ]

    });


    Is something wrong in this?
  • saurabh_sethsaurabh_seth Posts: 9Questions: 0Answers: 0
    Anyone please help me on this.
This discussion has been closed.