How can i prevent XSS attack using Webix ?
Affect for FORM and DATAGRID (EDIT) ?
Hello @duynq2197 ,
As an UI library, Webix does not maintain full XSS security enabled by default. However, there are some related features that can be helpful for you.
In general, data and server-side interaction (either global or on a component level) and content rendering can be controlled by a developer.
-
There are XSS Safe templates . They can be used for rendering data in simple templates (with “#…#”) on the client-side.
-
For more complex custom rendering functions in data templates (or at any part of the application logic), the content can be escaped. There is a separate helper
webix.template.escapefor it. -
As for the data processing / server-side interaction, by default, request parameters (in our default code, objects with key-value pairs) simply formatted through encodeURIComponent. Please, check the following example of different formats for the parameters: Code Snippet . If the parameters are passed as an object, the common logic assembles them in one string (complex values will be serialized) and applies encodeURIComponent to each value as a default safety/formatting action. At the same time, the pre-created FormData or a custom string will pass without changes.
-
Global preprocessing of all parameters of all requests issued with Webix methods is possible with onBeforeAjax method. To provide more specific settings to one or multiple components, the proxy objects allow completely redefine the logic of loading and saving the data.
-
In addition, our Webix Remote supports CSRF-security.
2 Likes
Sorry. One more question. Is there anyway to apply it to all field on form ? or all edit datagrid ?