The Syncfusion® native Blazor components library offers 70+ UI and Data Viz web controls that are responsive and lightweight for building modern web apps.
.NET PDF framework is a high-performance and comprehensive library used to create, read, merge, split, secure, edit, view, and review PDF files in C#/VB.NET.
Wow, I just noticed that in any of my form fields, if I enter javascript - eg. "<script>alert('hello')</script>" - if that gets displayed in a gridview, it'll execute that javascript and show a popup alert box! Surely this should sanitise by default out of this box. This is XSS 101! :(
Please get back to us, if you need further assistance.
Regards,
Thavasianand S.
DCDan Clarke June 21, 2019 01:49 PM UTC
So I have to add that to every single one of my controls? Isn't it a bit of a security issue that this isn't set by default? I'm guessing a lot of SyncFusion users don't know about this and most now have XSS vulnerabilities in their systems because of it.
HJHariharan J V Syncfusion Team June 24, 2019 12:46 PM UTC
Hi Dan,
Thanks for contacting your update.
we have considered your request as improvement “Need to provide option to disable html encoding in grid root settings”. It will be included in any of our upcoming release. Until then we appreciate your patience.
You can now track the current status of your request, review the proposed resolution timeline, and contact us for any further inquiries through this link.
Hi. I think you've perhaps misunderstood the issue. The issue isn't about HTML encoding - the issue is about allowing Javascript that the end-user has entered into a form to be executed. Regardless of if it's a grid or a textbox etc - Syncfusion isn't sanitising against this. This is a huge security risk.
