ken asked 6 years ago
Hi,
(TLDR: phpgrid causes browser to render HTML inside cell contents, causing javascript injection / execution vulnerability. Is there a setting that turns this off?)
Purchased phpgrid.org and have been using it only for some simple projects.
I saw an earlier post on how to show HTML as unformatted in the grid (I guess he meant meaning e.g. if a cell had <b>string</b> instead of showing a bold string, but to show literal <b>string</b> in the grid). It seems like by default phpgrid shows html code rendered – did not seem like proper behavior for a data entry tool.
That got me curious, so I took it a step further – what if there was javascript in the cell contents? Turned out there is two behaviors which I would think is either not good design, a bug, a security vulnerability or maybe I missed some configuration in the docs – which maybe my fault!
So, lets say a cell already has this buried in its contents:
alert(‘you got hacked’);
Problem 1: If I double click to edit the cell, and then save (with the JS still in the cell), the javascript actually get executed. (a pop up came out)
You can see that this is a major vulnerability, especially if I was editing a cell with a lot of contents and some JS buried in there. the JS is executed from the page. So the JS could have done anything – call home, etc.
Problem 2: The script tags disappeared after 1 save. But since the role of phpgird is just to edit strings and not make judgement on what I edit, it should not be filtering out my content.
Neither Problem 1 or Problem 2 is proper behavior – PHPGrid library should just allow us to edit contents, not render this (especially not render the JS), and not modify the contents on its own.
Proper behavior is shown by other software like phpmyadmin or adminer – where contents are shown as just strings without any rendering. Any modifications are not filtered by default.
Experts at PhpGrid – any views? Did I miss a setting that will turn off rendering and auto content modification?
Abu Ghufran Staff answered 5 years ago
Hello,
Apologies for the delay. There was an issue on our side which caused delay in ticket reply.
I’ll discuss problem #2 first. Grid’s default behavior is to strip all html tags (strip_tags) from plain text fields. If someone wish to allow html content, he can then set:
$col[“formatter”] = “html”;
Second, in this allowed html code, malicious code (e.g. xss) is removed. If someone wish to allow all html tags and skip sanitization process, he can then set:
$col[“sanitize”] = false;
If you set sanitize to false, it will act like phpmyadmin/adminer.
Now problem #1, To show html tags in cell instead of rendering, you need to set custom formatter with that column, as mentioned in FAQs:
$col[“formatter”] = “function(cellval,options,rowdata){ return jQuery.jgrid.htmlEncode(cellval); }”;
$col[“unformat”] = “function(cellval,options,cell){ return jQuery.jgrid.htmlDecode(cellval); }”;
This way, even if you write <js>alert(123);</js> in any text field, it will not be executed and shown as html tags.
You can test them further and let us know if you see any security vulnerability.
pcattani answered 2 years ago
Hi Abu,
I am having this same problem, but the proposed solutions are not fixing the problem for me.
If I open a record for editing and save without any changes, those fields which contain javascript seem to be executing and the resultant output saved to to the cell. This destroys the integrity of the cell information.
Any other ideas I can use, or any idea why your suggestion isn’t working? I am using:
$col[“formatter”] = “function(cellval,options,rowdata){ return jQuery.jgrid.htmlEncode(cellval); }”;
$col[“unformat”] = “function(cellval,options,cell){ return jQuery.jgrid.htmlDecode(cellval); }”;
It looks like I’m using phpgrid version 2.0.0
Thanks.
pcattani answered 2 years ago
Update:
My problem was #2, not #1, and was fixed by doing:
$col[“formatter”] = “html”;
$col[“sanitize”] = false;
I am now able to edit the cell as HTML and when I save, the HTML is preserved and no Javascript is executed.
Thanks for the initial reply.
Thanks for the update.
