BUG in Datatables - Security Vulnerability
BUG in Datatables - Security Vulnerability
saurabh_seth
Posts: 9Questions: 0Answers: 0
I am using Datatables ediatable feature in my project...came across a serious bug in it...
Access below link of Datatables editable :
http://jquery-datatables-editable.googlecode.com/svn/trunk/index.html
Double click on any cell to update its contents.Type below
alert("hello");
Hit Enter.It will pop up the alert message.This is serious threat as cross site scripting.
AnyOne can help me to avoid this.
Access below link of Datatables editable :
http://jquery-datatables-editable.googlecode.com/svn/trunk/index.html
Double click on any cell to update its contents.Type below
alert("hello");
Hit Enter.It will pop up the alert message.This is serious threat as cross site scripting.
AnyOne can help me to avoid this.
This discussion has been closed.
Replies
Regards,
Allan
Thanks for quick response.Actually I am using datatables editable(i.e jquery.dataTables.editable) using makeEditable.
Is this a third party software which is integrated in Datatables? I thought its one of the great features of datatables.
Can you please provide a link/url where I can open this issue?
OR
Any suggestion you can provide to avoid this.
Thanks.
> Can you please provide a link/url where I can open this issue?
You provided most of it yourself :-) http://jquery-datatables-editable.googlecode.com . Basically the HTML code just needs to be escaped at some point.
Allan
Yes I tried that.Actually it works if I later access the page.
But when I edit a cell..update request goes to my controller and from there I am returning the entered value of text area using below.
PrintWriter out = response.getWriter();
out.print();
response.flushBuffer();
Then it shows a pop-up...
PrintWriter out;
out = response.getWriter();
out.write();
Allan
and ofcourse without the pop-up.
Isnt it possible to manipulate the data of escaping before value is sent back from the controller?
I tried escaping '<' with '<' and so on but still it show a pop-up.
Problem with escaping before cell value is written is that how to get id of the textarea which is generated after user double clicks on the cell.
I am struggling to achieve this for my other requirement,i.e to integrate Jspell Checker plugin to the textareas in Editable.To achieve that I need to have the id of the dynamically generated textarea.
Can you please help how to achieve that?
The problem is that it is displaying what they put in, and they put in HTML! What I think you want it to display is:
> alert("hello");
> Isnt it possible to manipulate the data of escaping before value is sent back from the controller?
One option might be to use mRender to HTML encode the string before it is displayed. Thinking about it, that's probably what I would try.
Allan
But don't you think mRender will call after the pop up comes up.Because as soon as value is returned from my controller class pop up comes up.
Allan
I tried using mRender.but I am not able to make it work.Below is the sample code..
"aoColumns":[
{"mDataProp": "rowId","bVisible":false},
{"mDataProp": "col1","bVisible":false,"aTargets": [ 1 ]},
{"mDataProp": "col2","bVisible":false,"aTargets": [ 2 ]},
{"mDataProp": "col3","sWidth": "100px"},
{"sName" :"col4",
"sClass": "editor_disabled","sWidth": "300px",
"mRender": function ( data, type, full ) {
return "SOME DUMMY TEXT";}
},
{"fnRender": function( obj )
{
return "HELLO";
},"bSortable":false,"sWidth": "130px"},
{"mDataProp": "col6",
"sClass": "editor_disabled","sWidth": "120px"},
{"fnRender": function( obj )
{
return "WORLD";
},"bUseRendered": false,"sWidth": "120px"},
{"mDataProp": "col8","sWidth": "100px"},
{"mDataProp": "col9","bVisible":false}
]
}).makeEditable({
sUpdateURL:"updateURL.do"
,"aoColumns": [
null
,{"type": "textarea",
"submit":"Save",
"cssclass":"textArMsg",
}
,null
,{"mDataProp": "col6",
"type": "select",
"submit": "Save"
}
,null
,null
]
});
Is something wrong in this?