unidbgrid and form title: html injection

[tappatappa]

I need the unidbgrid to show every character (including < , >, &). Instead I see that those characters are interpreted as HTML. I have the same issue with form titles.

 

This is also a security issue!

[Sherzod]

I need the unidbgrid to show every character (including < , >, &). Instead I see that those characters are interpreted as HTML. I have the same issue with form titles.

 

This is also a security issue!

 

Hi,

 

I'm sorry, can you clarify your issue ?!

When that happens? Can you make a small test case for your issue?

I can not reproduce it..

 

Best regards.

[tappatappa]

sure.
 

I adapted a small project i had. It is only dependent on VirtualTable by Devart ODAC, which is a free component. I am pretty confident it also works with other in-memory datasets

just launch the application and look at the first row. It is supposed to contain the text "aaaa<p>a</p>" instead is rendered as

 

"aaaa

 

a

 

"

 

of course you can enter any HTML you want: links, maybe even JS code!

[tappatappa]

sorry i didn't attach the file

TestMultiSelect.zip

[Sherzod]

Thanks for a test case,
but unfortunately I was not able to run it..

 

If I understand correctly you, you want to display HTML as text ?!

[tappatappa]

I need a way to configure a grid in order to display HTML (or any special character) and not interpret it. Same thing for form titles. Other DB components are safe (uniDBEdit and labels, for instance)

I will upload another project by Monday.

[Sherzod]

For now can you try this approach? :

 

for example for uniDBGrid:

function reconfigure(sender, store, columns, oldStore, oldColumns, eOpts)
{
    // 1- your colIndx
    columns[1].renderer = function(val){
         return Ext.util.Format.htmlEncode(val)
    }
}

[tappatappa]

I need to do it for every column, of every grid in my project. Is it possibile to do it in a Extevent on the grid?

[Sherzod]

I need to do it for every column, of every grid in my project. Is it possibile to do it in a Extevent on the grid?

 

yes

[Sherzod]

UniDBGrid->ClientEvents->ExtEvents->...

function reconfigure(sender, store, columns, oldStore, oldColumns, eOpts)
{
    columns.forEach(function(col){
        col.renderer = function(val){
            return Ext.util.Format.htmlEncode(val)
        }
    })
}

[tappatappa]

I have tested your code and it works! Thanks!

 

Here you can find the updated project. I removed any dependency from external libraries (I hope)

TestMultiSelect.zip

[tappatappa]

Unfortunately this introduces a problem. OnDrawColumnCell doesn't work anymore.

 

In the project above

void __fastcall TMainForm::GridSrcDrawColumnCell(TObject *Sender, int ACol, int ARow, TUniDBGridColumn *Column, TUniCellAttribs *Attribs)

{
    Attribs->Color = clRed;
}

This is supposed to turn all the cells background red. It works only if you disable the reconfigure ExtEvent, I need both to work simultaneously,

[tappatappa]

I had a look at ext-unigui-min.js

maybe something like this?

function reconfigure(sender, store, columns, oldStore, the, eOpts)
{       
    columns.forEach(function(col){  
        col.renderer = function(k,a,d,i,m,l,j){  
            return _rndcll_(Ext.util.Format.htmlEncode(k), a,d,i,m,l,j)  
        }      
    })
}

[tappatappa]

Should this whole topic be moved under "Active Reports"? By the way, the workaround above seems to work. I would appreciate if, in future version of the library, grids had a flag "escape HTML" (true by default).

[tappatappa]

As for the form title I am pretty lost: I was unable to change the behaviour of the JS Window object and since TUniForm::GetCaption is NOT virtual I can't find a clean way to change its behaviour, either.

class PASCALIMPLEMENTATION TUniBaseForm : public TUniBaseIntermForm
{
//...................
	System::UnicodeString __fastcall GetCaption(void);
	virtual void __fastcall SetCaption(System::UnicodeString Value);
}

my form

class TMyForm : public TUniForm
{
private:
UnicodeString _unescaped_caption;
protected:


	UnicodeString __fastcall GetCaption(void);//NO!
	virtual void __fastcall SetCaption(UnicodeString Value);//OK since it is virtual
public:        // User declarations
    __fastcall TMyForm(TComponent* Owner);
}

// ---------------------------------------------------------------------------
__fastcall TMyForm::TMyForm(TComponent * Owner) : TUniForm(Owner), _unescaped_caption(Caption)
{
}

// ---------------------------------------------------------------------------
UnicodeString __fastcall TMyForm::GetCaption(void)
{
    return _unescaped_caption; //this is never called!
}

// ---------------------------------------------------------------------------
void __fastcall TMyForm::SetCaption(UnicodeString Value)
{
    _unescaped_caption = Value;
    TUniForm::SetCaption(html_escape(Value));
}

As a result if I execute this

TMyForm* AForm = MyForm();
AForm->Caption = AForm->Caption;

The caption gets escaped twice!