Hi there,
We are using version 2.6 of the dhtmlx suite in our application and are including the following scripts:
link rel="STYLESHEET" type="text/css" href="/Content/lib/dhtmlx/2.6/dhtmlxGrid/codebase/dhtmlxgrid_skins.css">I am able to enter the following XSS code inside a grid text box element in our application:
<img/src=! onerror=alert(/XSS/)>
I can then see the alert displayed in the browser when I tab out of the text field meaning XSS attacks are possible
The only documentation I could find on how to protect from XSS was here:
docs.dhtmlx.com/connector__net__security.html
The documentation suggest the following line is added (but doesn’t say where):
ConnectorSecurity.XSS = ConnectorSecurity.SecutiryXSS.DHX_SECURITY_SAFETEXT;
Looking through the dhtmlx library code I could find no references at all to ‘dhtmlxConnector’ so looks like we are not using this library. (We are using the ‘dhtmlxdataprocessor.js’ library as shown above though)
I was therefore wondering where/how I need to implement XSS security?
Many thanks,
Graeme