A very serious DHTML Scheduler drawback

We are using your scheduler and now we want to start using CSP (Content Security Policy). CSP is a W3C standard that makes websites A LOT MORE SECURE preventing almost any type of XSS attacks. However, DHTMLX Scheduler does not work with it. I think that the only problem is that you are using the eval("…") function that allows execute any string as javascript. Do you plan to support CSP? In the future the most of websites will use CSP, so I think there is no way you can bypass supporting this standard.

Code of scheduler really uses eval for json parsing. It can be easily changed to JSON.parse, but there are some other places where Scheduler uses non CSP compatible code.

We have CSP compatibility as long term goal, but I can’t provide any fixed date, when it will be avialble.

On side note, CSP mode doesn’t prevent XSS attacks, it just closes the most common sources of XSS. If data from client side not xss filtered before storing in the database then there is still a space for XSS attack.

Hi,

Were using TreeGrid but got a report from the security guys that the JavaScript is using “eval()” which is not acceptable to them.

A real downer because were looking forward to using scheduler as well as the dhtmlxsuite.

How can I keep the security guys happy ?

Best Regards,
HJ Koevoets

dhtmlxScheduler uses “eval” for json parsing only.

if you are using strict json and do not plan to use old version of IE we can provide build of dhtmlxScheduler without “eval”.

By the way, usage of “eval” is safe when you are using it against controlled data source ( data feed from your own server is a controlled data source )

Hello Stanislav,

can you provide the build without eval? We would like to use your scheduler, but cannot change our CSP.

Thanks and best regards

Hi!

There is no separate build, but you can solve it using dhtmlxscheduler_csp.js extension:
https://docs.dhtmlx.com/scheduler/content_security_policy.html

Just add this file to the page after dhtmlxscheduler.js and it will override any unsafe code.
As a result, everything should work fine, no other functionality of the scheduler should be affected.

Best,

1 Like