vbdavie Posted August 24, 2015 Share Posted August 24, 2015 I will presume that uniGUI utilizes AJAX to do it's communication to the server. I have a concern about vulnerabilities with the framework. There are many types of vulnerabilities. Can anyone please comment on whether or not uniGUI is vulnerable to the CSRF or XSS attacks? And if so, how to mitigate them? As far as sql injection is concerned, that is more of a programmer carefully crafting their sql statements, so no worries there. IE: Check for ' and replace with '' .... replace apostrophe with two apostrophes. Thanks Davie 1 Quote Link to comment Share on other sites More sharing options...
tappatappa Posted July 13, 2016 Share Posted July 13, 2016 uniGUI uses Ext.js. As far as I know, ExtJS is vulnerable to all sorts of injection and XSS attacks, unless the programmer is very careful. See: https://www.sencha.com/forum/showthread.php?296844-HTML-injection-attack-against-the-grid-row-s-TR-id-and-dataRecordId-attributes Ext.js doesn't do any HTML escaping by default, not just in the table row... HOW UNFORTUNATE, SENCHA That said, uniGUI does a better job at protecting the server from those attacks, at least some vulnerabilities have been fixed throughout the years http://forums.unigui.com/index.php?/topic/3979-javascript-injection-problem-on-form-show But some issues are still open... http://forums.unigui.com/index.php?/topic/6907-unidbgrid-and-form-title-html-injection http://forums.unigui.com/index.php?/topic/5252-unicode-support-issue-unprintable-chars depending on what kind of software you are developing there are probably workarounds (browse the forums and you will find plenty).Happy bugging/debugging! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.