Cross Site Scripting (XSS) and dhtmlx

Hi there,

We are using version 2.6 of the dhtmlx suite in our application and are including the following scripts:

link rel="STYLESHEET" type="text/css" href="/Content/lib/dhtmlx/2.6/dhtmlxGrid/codebase/dhtmlxgrid_skins.css">

I am able to enter the following XSS code inside a grid text box element in our application:

<img/src=! onerror=alert(/XSS/)>

I can then see the alert displayed in the browser when I tab out of the text field meaning XSS attacks are possible

The only documentation I could find on how to protect from XSS was here:

The documentation suggest the following line is added (but doesn’t say where):

ConnectorSecurity.XSS = ConnectorSecurity.SecutiryXSS.DHX_SECURITY_SAFETEXT;

Looking through the dhtmlx library code I could find no references at all to ‘dhtmlxConnector’ so looks like we are not using this library. (We are using the ‘dhtmlxdataprocessor.js’ library as shown above though)

I was therefore wondering where/how I need to implement XSS security?

Many thanks,