search envelope-o feed check
Home Unanswered Active Tags New Question
user comment-o

XSS Cross Site Scripting issue

Asked by Anonymous
4 years ago.

Hi

May I know if DayPilot having the cross site scripting issue?
Thanks

Best regards,
Goh

how-to asp.net
Answer posted by Dan Letecky [DayPilot]
4 years ago.

DayPilot lets you specify raw HTML in many places to allow adding rich content and defining your own functionality. You need to make sure that any user-entered data that you use when adding custom HTML is sanitized.

Comment posted by Anonymous
4 years ago.

Hi

Can you further elaborate this "make sure that any user-entered data that you use when adding custom HTML is sanitized"?

Thanks

Best regards,
Goh

Comment posted by Dan Letecky [DayPilot]
4 years ago.

The minimum you should do is to sanitize the event and resource text (as they are usually entered by users): 

protected void DayPilotScheduler1_BeforeResHeaderRender(object sender, DayPilot.Web.Ui.Events.Scheduler.BeforeResHeaderRenderEventArgs e)
{
  e.Html = DayPilot.Utils.Encoder.HtmlEncode(e.Name);
}

and 

protected void DayPilotScheduler1_BeforeEventRender(object sender, BeforeEventRenderEventArgs e)
{
  e.Html = DayPilot.Utils.Encoder.HtmlEncode(e.Text);
}

This assumes that you do not sanitize the user input before storing it in the database.

If you load user-supplied content in other places (such as in DayPilotBubble.RenderEventBubble), you need to sanitize it as well.

Comment posted by Anonymous
4 years ago.

Hi

Thanks for your swift reply.
Hope this will solve the XSS issue.

Thanks
Best regards,
Goh

Comment posted by Anonymous
4 years ago.

Hi
I can't find this DayPilot.Utils.Encoder.HtmlEncode(e.Name)
Is this DayPilot.Utils.Base64.Encode(e.Name) same?

But it show the encoded character on the UI. (TWFzdGVyIDE)

Thanks
Best regards,
Goh

Comment posted by Goh
4 years ago.

Hi

Any update on this issue?
I received below message sent from customer that their FireWall block this.
msg="Parameter(ctl00_CPH1_DayPilotScheduler1_state) triggered signature ID 010000072 of Signatures policy basshrm signature" signature_subclass="Cross Site Scripting"
signature_subclass="Cross Site Scripting"
signature_id="010000072"

Please help on this as we are not able to deploy it if it is not solve.

Thanks
Best regrds,
Goh

Comment posted by Dan Letecky [DayPilot]
4 years ago.

Sorry, the DayPilot.Utils.Encoder.HtmlEncode() method is internal. You can use any generic HTML encoding method instead, such as HttpUtility.HtmlEncode():

https://docs.microsoft.com/en-us/dotnet/api/system.web.httputility.htmlencode

However:

There are two approaches to HTML sanitization - on input and on output. Generally, it is recommended to sanitize on output (which is what the example above does). That means the user input is stored in the database (as entered) and sanitized before display.

The report above seems to complain about the tree state content that is submitted with callbacks and postbacks. This state will include both the unsanitized Text and santized Html value and it may still complain. This seems to enforce the on-input sanitization so you would have to rebuild the logic and not allow storing raw content in the database.

Another option (a workaround) would be turn off the state synchronization using SyncTreeState=false. But that affects the behavior and you would have to rebuild the resource tree from the database on every callback/postback (and you would still lose the expanded/collapsed state).

This question is more than 1 months old and has been closed. Please create a new question if you have anything to add.
Tools
E-mail notifications
Feed

Products

Learn

Get Support

DayPilot Pro

Event calendar/scheduling AJAX components. Available for JavaScript/HTML5/jQuery, ASP.NET, ASP.NET MVC. Build resource booking, project management, time tracking applications, personal and shared event calendars.