Page 20 of 20 FirstFirst ... 10181920
Results 191 to 199 of 199

Thread: [Security] XSS attacks for Extjs Applications - critical warning

  1. #191

    Default

    Quote Originally Posted by mitchellsimoens View Post
    I'm not fixing or implementing anything into Ext JS, I'm providing some overrides. I never said it'll fix everything. Also, in an XTemplate, you can't just encode everything as you are likely going to have html in your template so you have to encode what you want.
    I'm not suggesting that you are fixing/implementing Ext JS. For our application, a global approach makes more sense, but each application needs to carefully consider which works best and know the workarounds that are available.

    I've found that for XTemplate, the developer will need to recognize that the values used in their template may need the :htmlEncode annotation. You certainly can't assume you should html encode everything for the reasons you've stated.

    My comment was mostly to clarify that your overrides do cover most use cases, but some others still exist that the developer will need to be aware.

    Nice job on the overrides btw.

  2. #192
    Sencha User
    Join Date
    Nov 2009
    Posts
    15

    Default Small issue with Button override

    @mitchellsimoens: First of all, thanks a lot for enlightening our path on the XSS fight with those overrides! They are awesome!


    I Just want to add that the Button override is producing an error in Sencha CMD build, it says that the parent class don't have a method called applyText (doing a quick resarch on the source code seems it really don't have, at least not Ext.Component nor Ext.Base). I "fixed" it by commenting the last line on the override. I just wanted to ask if you may have any concern/though on this approach...


    Keep up the great work guys!

  3. #193
    Sencha Premium User mitchellsimoens's Avatar
    Join Date
    Mar 2007
    Location
    Gainesville, FL
    Posts
    40,379

    Default

    @firegun What Ext JS version are you using? I haven't tried the overrides outside of Sencha Fiddle but works for Ext JS 5.x.

    I see the error using 6.x and you would then change the override to:

    Code:
    Ext.define('Override.button.Button', {
        override : 'Ext.button.Button',
        
        applyText : function(text, oldText) {
            if (text && !this.getAllowMarkup()) {
                text = Ext.String.htmlEncode(text);
            }
            
            return text;
        }
    });
    Mitchell Simoens @LikelyMitch

    Check out my GitHub:
    https://github.com/mitchellsimoens

    Posts are my own, not any current, past or future employer's.

  4. #194
    Sencha User
    Join Date
    Nov 2009
    Posts
    15

    Default You did it again ^^

    @mitchellsimoens: I'm using Ext 5.1.1.451 and Sencha Cmd 5.1.2.52, and the proposed change work just fine.

    Thanks for the quick reply!

  5. #195

    Default

    We have fixed the XSS problem. Our design is ...

    Every component has a boolean property called "htmlEncode". But components can also have other properties like htmlEncodeHeader e.g. Column.

    Templates and set methods like. setText() etc are supposed to respect this property. In short, you only encode if the relevant htmlEncode property is true. Renderers are supposed do their own htmlEncode'ing. The key here is ... respecting the htmlEncode or htmlEncodeXXXXX property.

    To achieve this, we had to instrument/ change the ExtJS all-debug code. I admit, not a good idea to instrument the ExtJS code but security and fixing the vulnerability was more important then the solution.

    It is past 30 days. No bugs so far. The solution is looking very stable.

  6. #196

    Default

    That was pure speculation on my part. But my expectation in general is that on most browsers, most of the time this:div.appendChild(document.createTextNode(myText));will be faster than:div.innerHtml = myText;The original comments regarding performance seem to be assuming that you MUST use "div.innerHtml" and thus you would have to escape the text (in JavaScript) which would naturally be less efficient.
    I'm Designer

  7. #197
    Sencha User
    Join Date
    Apr 2013
    Posts
    137

    Default

    @mitchellsimoens: thanks for your great overrides. just it lacks for
    1- "Ext.window.MessageBox"
    2- "Ext.tree.Column"
    3- "Combobox"
    4- "Ext.grid.column.Check"
    5- "Ext.form.Labelable" + "qtip (for error)

    They can be something like these (NOTE: rely on @mitchellsimoens overrides):

    Code:
    Ext.define('Override.tree.Column', {
        override: 'Ext.tree.Column',
    
    
        setupRenderer: function (type) {//to ignore parent (Ext.grid.column.Column) xss attack protector.
            var me = this,
                origAllowMarkup = me.allowMarkup;
    
    
            me.allowMarkup = true;
            me.callParent([type]);
            me.allowMarkup = origAllowMarkup;
        },
    
    
        initComponent: function () {
            var me = this;
    
    
            me.callParent();
            
            me.setupXssProtectorRenderer();
        },
    
    
        setupXssProtectorRenderer: function () {
            var me = this;
    
    
            if (!me.allowMarkup) {
    
    
                var oldRenderer = me.innerRenderer;
    
    
                me.innerRenderer = function (value) {
                    if (oldRenderer) {
                        value = oldRenderer.apply(this, arguments);
                    }
    
    
                    if (value) {
                        value = Ext.String.htmlEncode(value);
                    }
    
    
                    return value;
                };
            }
        }
    });
    and
    Code:
    Ext.define('Override.window.MessageBox', {
        override: 'Ext.window.MessageBox',
    
    
        initComponent: function (cfg) {
            this.callParent([cfg]);
            this.updateAllowMarkup(this.allowMarkup);
        },
    
    
        updateAllowMarkup: function (allow) {
            if (this.msg)
                this.msg.allowMarkup = allow;
        },
    
    
        reconfigure: function (cfg) {
            this.updateAllowMarkup(cfg.allowMarkup);
            this.callParent([cfg]);
        }
    });
    and
    Code:
    Ext.define('Override.view.BoundList', {
        override: 'Ext.view.BoundList',
    
    
        initComponent: function () {
            var me = this;
            me.origInnerTpl = me.getInnerTpl;
            me.getInnerTpl = function (displayField) {            
                var tpl = me.origInnerTpl(displayField);
                if (tpl) tpl = tpl.replace(/\{(.*?)\}/g, '{$1:htmlEncode}');
                return tpl;
    
    
            }
            me.callParent();
        },
    });
    and
    Code:
    Ext.define('Override.grid.column.Check', {
        override: 'Ext.grid.column.Check',
        allowMarkup: true
    });
    and
    Code:
    Ext.define('Override.form.Labelable', {
        override: 'Ext.form.Labelable',
    
    
        setActiveErrors: function (errors) {
            if (Ext.isArray(errors)) {
                Ext.each(errors, function (msg, i) {
                    errors[i] = Ext.String.htmlEncode(msg);
                });
            } else if (Ext.isString(errors)) {
                errors = Ext.String.htmlEncode(errors);
            }
    
    
    
    
            this.callParent([errors]);
        },
    
    
        renderActiveError: function () {
            this.callParent();
            if (this.errorEl) this.errorEl.allowMarkup = true;//for quicktip
        },
    });
    and
    Code:
    Ext.define('Override.tip.QuickTip', {
        override: 'Ext.tip.QuickTip',
    
    
        update: function (htmlOrData, loadScripts, callback) {
            if (this.activeTarget && (el = Ext.fly(this.activeTarget.el))) {
                if (el && el.component && el.component.errorEl) {//for Ext.form.Labelable
                    var origAllowMarkup = this.getAllowMarkup();
    
    
                    this.setAllowMarkup(el.component.errorEl.allowMarkup);
                    this.callParent([htmlOrData, loadScripts, callback]);
                    this.setAllowMarkup(origAllowMarkup);
    
    
                    return;
                }
            }
    
    
            this.callParent([htmlOrData, loadScripts, callback]);
        }
    })

  8. #198
    Sencha User
    Join Date
    Oct 2015
    Posts
    6

    Default

    HI Alna,
    As i have tried some generalised solution for component level in ExtJS 6.0 version and it worked successfully for me may be it is helpful..
    //Write in app.js file
    Ext.override(Ext.grid.column.Column,{
    defaultRenderer
    :Ext.util.Format.htmlEncode
    });

    and for other components like date field and combo i have added generalised soln in app.js file

  9. #199

    Default

    Any updates to this problem?

Page 20 of 20 FirstFirst ... 10181920

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •