We are using a paid version of this product and found DOM-based vulnerabilities in it.
DOM-based vulnerabilities arise when a client-side script reads data from a controllable part of the DOM (for example, the URL) and processes this data in an unsafe way
For eg :-
Data is read from location.href and passed to the ‘append()’ function of JQuery via the following statements:
- jQuery(el) .parent() …d_url+ “\”);’ />” )
Let us know , if the latest version of this product has this fixed, or we would like to know a solution or a fix from your side.
Thanks and Regards
Thanks for reporting. Currently this feature to show add form when url contains form=add is rarely used.
To avoid this vulnerability risk, you can simple remove these lines. Your suggestion to put server side generated url is also doable but it will need some more testing time.
Search: location.href.replace in jqgrid_dist.php
And remove this block of 2 lines, 3 occurences in file:
… location.href.replace ….
Abu Ghufran - Dev Team
Grid 4 PHP Framework
We are sorry that this post was not useful for you!
Let us improve this post!
Tell us how we can improve this post?