May I know if DayPilot having the cross site scripting issue?
DayPilot lets you specify raw HTML in many places to allow adding rich content and defining your own functionality. You need to make sure that any user-entered data that you use when adding custom HTML is sanitized.
Can you further elaborate this "make sure that any user-entered data that you use when adding custom HTML is sanitized"?
The minimum you should do is to sanitize the event and resource text (as they are usually entered by users):
protected void DayPilotScheduler1_BeforeResHeaderRender(object sender, DayPilot.Web.Ui.Events.Scheduler.BeforeResHeaderRenderEventArgs e)
e.Html = DayPilot.Utils.Encoder.HtmlEncode(e.Name);
protected void DayPilotScheduler1_BeforeEventRender(object sender, BeforeEventRenderEventArgs e)
e.Html = DayPilot.Utils.Encoder.HtmlEncode(e.Text);
This assumes that you do not sanitize the user input before storing it in the database.
If you load user-supplied content in other places (such as in DayPilotBubble.RenderEventBubble), you need to sanitize it as well.
Thanks for your swift reply.
Hope this will solve the XSS issue.
I can't find this DayPilot.Utils.Encoder.HtmlEncode(e.Name)
Is this DayPilot.Utils.Base64.Encode(e.Name) same?
But it show the encoded character on the UI. (TWFzdGVyIDE)
Any update on this issue?
I received below message sent from customer that their FireWall block this.
msg="Parameter(ctl00_CPH1_DayPilotScheduler1_state) triggered signature ID 010000072 of Signatures policy basshrm signature" signature_subclass="Cross Site Scripting"
signature_subclass="Cross Site Scripting"
Please help on this as we are not able to deploy it if it is not solve.
Sorry, the DayPilot.Utils.Encoder.HtmlEncode() method is internal. You can use any generic HTML encoding method instead, such as HttpUtility.HtmlEncode():
There are two approaches to HTML sanitization - on input and on output. Generally, it is recommended to sanitize on output (which is what the example above does). That means the user input is stored in the database (as entered) and sanitized before display.
The report above seems to complain about the tree state content that is submitted with callbacks and postbacks. This state will include both the unsanitized Text and santized Html value and it may still complain. This seems to enforce the on-input sanitization so you would have to rebuild the logic and not allow storing raw content in the database.
Another option (a workaround) would be turn off the state synchronization using SyncTreeState=false. But that affects the behavior and you would have to rebuild the resource tree from the database on every callback/postback (and you would still lose the expanded/collapsed state).