XSS attack by clicking data user input

duynq2197 · October 1, 2024, 7:42am

XSS attack by User input

https://snippet.webix.com/haopac8x

When click on “Click me to test” its trigger js script. How to prevent that ?

Natalia_Shilova · October 1, 2024, 12:19pm

Hello duynq2197,

We have two ways to prevent such behavior:

first way is to use our dafualt format for template: format:webix.[template.escape](https://docs.webix.com/api___template_escape.html). You can specify it in any column you need.
second way is to use template as function where you can process the data of the column as you want.
Webix supports XSS-safe templates as one of the basic rendering features.

Please check the snippet with the example : Code Snippet

duynq2197 · October 4, 2024, 3:09am

@Natalia_Shilova Thanks but I have one more problem.
How to apply it to all view: “datatable” in my APP because i use it in many screen

duynq2197 · October 7, 2024, 2:22am

using webix.extend to modify datatable defaults
webix.extend(webix.ui.datatable, {
defaults: {
css: “test” // Apply CSS class ‘test’ to all datatables
}
});

I found this solution

duynq2197 · October 7, 2024, 2:27am

Combine with first solution prevent XSS attack. We have:

// Extend the default configuration of datatable columns - Prevent XSS attack
webix.extend(webix.ui.datatable, {
	$init: function() {
		// Loop through all columns and apply the default format
		this.attachEvent("onStructureLoad", function() {
			this.config.columns.forEach(function(column) {
				// If the column does not have a format set, apply webix.template.escape
				if (!column.format) {
					column.format = webix.template.escape
				}
			})
		})
	}
})

Natalia_Shilova · October 7, 2024, 9:43am

duynq2197,
This is a valid solution that will affect every datatable in the app. Thank you for sharing it!