search envelope-o feed check
Home Unanswered Active Tags New Question
user comment-o

XSS Cross Site Scripting issue

Asked by Anonymous
17 days ago.

Hi

May I know if DayPilot having the cross site scripting issue?
Thanks

Best regards,
Goh

Answer posted by Dan Letecky [DayPilot]
17 days ago.

DayPilot lets you specify raw HTML in many places to allow adding rich content and defining your own functionality. You need to make sure that any user-entered data that you use when adding custom HTML is sanitized.

Comment posted by Anonymous
17 days ago.

Hi

Can you further elaborate this "make sure that any user-entered data that you use when adding custom HTML is sanitized"?

Thanks

Best regards,
Goh

Comment posted by Dan Letecky [DayPilot]
16 days ago.

The minimum you should do is to sanitize the event and resource text (as they are usually entered by users):

protected void DayPilotScheduler1_BeforeResHeaderRender(object sender, DayPilot.Web.Ui.Events.Scheduler.BeforeResHeaderRenderEventArgs e)
{
  e.Html = DayPilot.Utils.Encoder.HtmlEncode(e.Name);
}

and

protected void DayPilotScheduler1_BeforeEventRender(object sender, BeforeEventRenderEventArgs e)
{
  e.Html = DayPilot.Utils.Encoder.HtmlEncode(e.Text);
}

This assumes that you do not sanitize the user input before storing it in the database.

If you load user-supplied content in other places (such as in DayPilotBubble.RenderEventBubble), you need to sanitize it as well.

Comment posted by Anonymous
16 days ago.

Hi

Thanks for your swift reply.
Hope this will solve the XSS issue.

Thanks
Best regards,
Goh

Comment posted by Anonymous
16 days ago.

Hi
I can't find this DayPilot.Utils.Encoder.HtmlEncode(e.Name)
Is this DayPilot.Utils.Base64.Encode(e.Name) same?

But it show the encoded character on the UI. (TWFzdGVyIDE)

Thanks
Best regards,
Goh

Comment posted by Goh
8 days ago.

Hi

Any update on this issue?
I received below message sent from customer that their FireWall block this.
msg="Parameter(ctl00_CPH1_DayPilotScheduler1_state) triggered signature ID 010000072 of Signatures policy basshrm signature" signature_subclass="Cross Site Scripting"
signature_subclass="Cross Site Scripting"
signature_id="010000072"

Please help on this as we are not able to deploy it if it is not solve.

Thanks
Best regrds,
Goh

Comment posted by Dan Letecky [DayPilot]
7 days ago.

Sorry, the DayPilot.Utils.Encoder.HtmlEncode() method is internal. You can use any generic HTML encoding method instead, such as HttpUtility.HtmlEncode():

https://docs.microsoft.com/en-us/dotnet/api/system.web.httputility.htmlencode

However:

There are two approaches to HTML sanitization - on input and on output. Generally, it is recommended to sanitize on output (which is what the example above does). That means the user input is stored in the database (as entered) and sanitized before display.

The report above seems to complain about the tree state content that is submitted with callbacks and postbacks. This state will include both the unsanitized Text and santized Html value and it may still complain. This seems to enforce the on-input sanitization so you would have to rebuild the logic and not allow storing raw content in the database.

Another option (a workaround) would be turn off the state synchronization using SyncTreeState=false. But that affects the behavior and you would have to rebuild the resource tree from the database on every callback/postback (and you would still lose the expanded/collapsed state).

New Reply
This reply is
Your name (optional):