My favorites | Sign in
Project Home Downloads Wiki Issues Source
New issue   Search
  Advanced search   Search tips   Subscriptions
Issue 57: javascript injection in the filters
3 people starred this issue and may be notified of changes. Back to list
Status:  Accepted

Sign in to add a comment
Reported by, Nov 13, 2007
Potential security bug in that you can easily do javascript injection in
the filters.

For example you can input something like this :

'); alert('hello world');// 
Nov 14, 2007
I wonder if I could do something like set the filter value by wrapping it in a JSON
object or Array. That way the JavaScript should not execute.
Mar 10, 2008
(No comment was entered for this change.)
Labels: -Priority-Medium Priority-High
Mar 10, 2008
(No comment was entered for this change.)
Labels: -Type-Defect Type-Enhancement
Oct 22, 2008
Project Member #4
Came to of a pretty good side effect of this encoding stuff. Try saving
<script>alert('whoops!');</script> in the worksheet example.
Mar 22, 2010
Oct 3, 2013
#6 harald.walker
There should be a way to validate the input of the filters. Just output encoding is not enough.
Oct 3, 2013
#7 harald.walker
As a solution I've added a validate method in a custom FilterMatcher and extended SimpleRowFilter to validate the filter value against this FilterMatcher first before iterating through the items collection.
Sign in to add a comment

Powered by Google Project Hosting