hi allI am looking for a way to sanitize inputs to keep script from being executed when editing grid records.If i add something simple as '<img src=z onerror=alert(278)>' into an rowEdit input, the script will execute. Is there a simple or native option to restrict or treat input values as text?
Hello Ben,
Thank you for following up!
I am glad that you find my suggestion helpful and managed to achieve your requirement!
Additionally, using the editRowEnding event could also be considered a possible approach for achieving the desired behavior as it also provides information for the new values and is fired before the editing operation ends.
Please do not hesitate to let me know if you need any further assistance regarding this matter.
Sincerely, Riva Ivanova Associate Software Developer
ok thanksI wasnt sure if there was something native or an option to enable.I went with the full rowEditEnding approach and check if the value is a typeof(stirng)
editRowEnding: function (evt, ui) {
if (ui.update) {
$.each(ui.values, function (i, n) {
if (typeof n == "string") {
ui.values[i] = $("<div>").text(n).html();
}
});
},
Thank you for posting into our community!
I have been looking into your question and an approach I could suggest is using the editCellEnding event which is fired before cell editing ends and provides useful information such as the new value.
Additionally, as the editCellEnding event is fired for each cell when using row editing, I would suggest using the update option to check if the value is changed and apply custom logic for sanitizing it.
For example:
features: [ { name: "Updating", editMode: "row", editCellEnding: function (evt, ui) { if (ui.update) { ui.value = escapeHtml(ui.value); } }, }, ],
Here could be found a small sample demonstrating my suggestion.
Please test it on your side and let me know if you need any further assistance regarding this matter.
Looking forward to your reply.