Potential Security Vulnerability – Inadvertent Javascript Execution

QuestionsPotential Security Vulnerability – Inadvertent Javascript Execution
ken asked 5 years ago

Hi,

(TLDR: phpgrid causes browser to render HTML inside cell contents, causing javascript injection / execution vulnerability. Is there a setting that turns this off?)

Purchased phpgrid.org and have been using it only for some simple projects.

I saw an earlier post on how to show HTML as unformatted in the grid (I guess he meant meaning e.g. if a cell had <b>string</b> instead of showing a bold string, but to show literal <b>string</b> in the grid). It seems like by default phpgrid shows html code rendered – did not seem like proper behavior for a data entry tool.

That got me curious, so I took it a step further – what if there was javascript in the cell contents? Turned out there is two behaviors which I would think is either not good design, a bug, a security vulnerability or maybe I missed some configuration in the docs – which maybe my fault!

So, lets say a cell already has this buried in its contents:

alert(‘you got hacked’);

https://imgur.com/a/ogoBC2s

Problem 1: If I double click to edit the cell, and then save (with the JS still in the cell), the javascript actually get executed. (a pop up came out)

You can see that this is a major vulnerability, especially if I was editing a cell with a lot of contents and some JS buried in there. the JS is executed from the page. So the JS could have done anything – call home, etc.

Problem 2: The script tags disappeared after 1 save. But since the role of phpgird is just to edit strings and not make judgement on what I edit, it should not be filtering out my content.

Neither Problem 1 or Problem 2 is proper behavior – PHPGrid library should just allow us to edit contents, not render this (especially not render the JS), and not modify the contents on its own.

Proper behavior is shown by other software like phpmyadmin or adminer – where contents are shown as just strings without any rendering. Any modifications are not filtered by default.

 

Experts at PhpGrid – any views? Did I miss a setting that will turn off rendering and auto content modification?

 

 

3 Answers
Abu Ghufran Staff answered 5 years ago

Hello,

Apologies for the delay. There was an issue on our side which caused delay in ticket reply.

I’ll discuss problem #2 first. Grid’s default behavior is to strip all html tags (strip_tags) from plain text fields. If someone wish to allow html content, he can then set:

$col[“formatter”] = “html”;

Second, in this allowed html code, malicious code (e.g. xss) is removed. If someone wish to allow all html tags and skip sanitization process, he can then set:

$col[“sanitize”] = false;

If you set sanitize to false, it will act like phpmyadmin/adminer.

Now problem #1, To show html tags in cell instead of rendering, you need to set custom formatter with that column, as mentioned in FAQs:

$col[“formatter”] = “function(cellval,options,rowdata){ return jQuery.jgrid.htmlEncode(cellval); }”;
$col[“unformat”] = “function(cellval,options,cell){ return jQuery.jgrid.htmlDecode(cellval); }”;

This way, even if you write <js>alert(123);</js> in any text field, it will not be executed and shown as html tags.

You can test them further and let us know if you see any security vulnerability.

_________________________
Abu Ghufran - Dev Team
Grid 4 PHP Framework
 
pcattani answered 2 years ago

Hi Abu,

I am having this same problem, but the proposed solutions are not fixing the problem for me.

If I open a record for editing and save without any changes, those fields which contain javascript seem to be executing and the resultant output saved to to the cell.  This destroys the integrity of the cell information.

Any other ideas I can use, or any idea why your suggestion isn’t working?  I am using:

$col[“formatter”] = “function(cellval,options,rowdata){ return jQuery.jgrid.htmlEncode(cellval); }”;
$col[“unformat”] = “function(cellval,options,cell){ return jQuery.jgrid.htmlDecode(cellval); }”;

 

It looks like I’m using phpgrid version 2.0.0

 

Thanks.

 

 

pcattani answered 2 years ago

Update:

 

My problem was #2, not #1, and was fixed by doing:

 

$col[“formatter”] = “html”;

$col[“sanitize”] = false;

 

I am now able to edit the cell as HTML and when I save, the HTML is preserved and no Javascript is executed.

Thanks for the initial reply.

Abu Ghufran Staff replied 2 years ago

Thanks for the update.

Your Answer

13 + 9 =

Login with your Social Id:

OR, enter

Attach code here and paste link in question.
Attach screenshot here and paste link in question.



How useful was this discussion?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate it.

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?