irigsoft Posted July 15, 2022 Share Posted July 15, 2022 Hello, I need to replace/encrypt client-side input with Javascript. I have a MainForm script that replaces all (</>)#;' and I want to use it on every text element in the window. My question is: What ClientEvents for components can I use? Quote Link to comment Share on other sites More sharing options...
Sherzod Posted July 15, 2022 Share Posted July 15, 2022 Hello, Can you give the sequence of your actions (algorithm)? Quote Link to comment Share on other sites More sharing options...
irigsoft Posted July 15, 2022 Author Share Posted July 15, 2022 7 minutes ago, Sherzod said: Hello, Can you give the sequence of your actions (algorithm)? my security team recommends me : It is recommended to perform a validation and sanitisation of input data, on the client side of special characters (</>"-#?). So I am create this MainForm.Script function escapeHtml (text) { var map = { '&': '&', '<': '<', '>': '>', '"': '"', "'": ''' }; return text.replace(/[&<>"']/g, function(m) { return map[m]; }); }; at this point I want to use this function in uniEdit, uniMemo and other text components to replace characters when the user types or when it is sent to the server. I am creating the elements dynamically and will add ClientEvents when the component is created. not always OnClick is used to perform an action, sometimes AddJs will be used as well. maybe is good to use onrender/afterrender on MainForm but I am not sure Quote Link to comment Share on other sites More sharing options...
Sherzod Posted July 15, 2022 Share Posted July 15, 2022 Maybe you need to use blur event for this? Quote Link to comment Share on other sites More sharing options...
irigsoft Posted July 15, 2022 Author Share Posted July 15, 2022 1 minute ago, Sherzod said: Maybe you need to use blur event for this? thanks, is this blur on the form, i dont find it ? Quote Link to comment Share on other sites More sharing options...
Sherzod Posted July 15, 2022 Share Posted July 15, 2022 For example: 1 Quote Link to comment Share on other sites More sharing options...
irigsoft Posted July 15, 2022 Author Share Posted July 15, 2022 3 minutes ago, Sherzod said: For example: Thank you, can I apply this to mobile as well (UniGui Professional, version 1534) ? How to use MainFomr.Script function in blur UniEdit1.JSInterface.JSAddListener('blur', 'escapeHtml (' + UniEdit1.Text + ')'); Quote Link to comment Share on other sites More sharing options...
Sherzod Posted July 15, 2022 Share Posted July 15, 2022 25 minutes ago, irigsoft said: UniEdit1.JSInterface.JSAddListener('blur', 'escapeHtml (' + UniEdit1.Text + ')'); UnimEdit1.JSInterface.JSAddListener('blur', 'function(){this.setValue(escapeHtml(this.getValue()))}'); 1 Quote Link to comment Share on other sites More sharing options...
irigsoft Posted July 15, 2022 Author Share Posted July 15, 2022 25 minutes ago, Sherzod said: UnimEdit1.JSInterface.JSAddListener('blur', 'function(){this.setValue(escapeHtml(this.getValue()))}'); Is it possible to use another event (just for information) because when I type in the component and select another component from the screen, the replace is executed (that's fine), but I'm worried that my clients will ask me why this is happening. An event that will do the replacement, but without being visible to the client and before it's sent to the server? Quote Link to comment Share on other sites More sharing options...
Sherzod Posted July 15, 2022 Share Posted July 15, 2022 1 hour ago, irigsoft said: but without being visible to the client and before it's sent to the server? Why don't you want to pass data to the server without escapeHtml? Quote Link to comment Share on other sites More sharing options...
irigsoft Posted July 15, 2022 Author Share Posted July 15, 2022 39 minutes ago, Sherzod said: Why don't you want to pass data to the server without escapeHtml? No, I just want to hide replaced data from user. Like example: I have uniEdit text and use it to make search in database with user criterias. 1. I try user input like: <script>alert('Hi')</script> (i want to prevent execution code and use escapeHtml replacement) - is OK. 2. I try user input like: some text where I must have > 0 (i want to prevent execution code and use escapeHtml replacement) - this is not OK because it show on user replaced data, if I click on uniCheckbox before uniButton click to start searching. It is not a Problem if App work by this way, but I just search if exist some other event. maybe replaced data is visible because i have uniTimer on the Form? Quote Link to comment Share on other sites More sharing options...
Sherzod Posted July 15, 2022 Share Posted July 15, 2022 18 minutes ago, irigsoft said: 1. I try user input like: <script>alert('Hi')</script> (i want to prevent execution code and use escapeHtml replacement) - is OK. 2. I try user input like: some text where I must have > 0 (i want to prevent execution code and use escapeHtml replacement) - this is not OK Sorry, maybe it's time for me to take a break. Your case is not clear to me... Quote Link to comment Share on other sites More sharing options...
irigsoft Posted July 15, 2022 Author Share Posted July 15, 2022 8 minutes ago, Sherzod said: Sorry, maybe it's time for me to take a break. Your case is not clear to me... I try to explane: 1. I try user input like: <script>alert('Hi')</script> (i want to prevent execution code and use escapeHtml replacement) - is OK. after blur 2. I try user input like: some text where I must have > 0 (i want to prevent execution code and use escapeHtml replacement) - this is not OK after blur so in case 2 i have "all data > 0" , which is an internal function showing all data in a certain list and replacement show all replaced symbols. All is OK from replace symbols on ClientSide but attacker will see all replaced symbols and try another attacking method like write #%32#%3B#%2C in uniEdit Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.