XSS issue on Platinum Grid - Filter

Post Reply
chmazur
Posts: 5
Joined: Tue Oct 29, 2013 2:38 pm

XSS issue on Platinum Grid - Filter

Post by chmazur » Tue Jul 29, 2014 11:39 pm

Hi there,

we have been advised about a security issue on Platinun Grid.

If you insert " onkeypress="alert('XSS!')
as criteria on the filter, you will be able to see the JS alert message.

On JTPlatinumGrid,js I not sure where I should sanitize the imput code to fix
this issue.

I made some changes on _txtFilterBlur, _txtFilterKeyDown but not much success.
Any suggestion?

Thanks in advance,

ch.-

jomitech
Site Admin
Posts: 1921
Joined: Wed Oct 08, 2008 12:23 am

Re: XSS issue on Platinum Grid - Filter

Post by jomitech » Fri Aug 01, 2014 8:32 am

I have sent you a fix for this issue. I presume you're using the latest version of PlatinumGrid.
Jon

jomitech
Site Admin
Posts: 1921
Joined: Wed Oct 08, 2008 12:23 am

Re: XSS issue on Platinum Grid - Filter

Post by jomitech » Fri Aug 01, 2014 8:34 am

To manually fix this issue in any installation, open jtplatinumgrid.inc.php and locate the following line:

Code: Select all

'FILTERVALUE'           => $this->_Filter,
Change it to:

Code: Select all

'FILTERVALUE'           => htmlentities( $this->_Filter ),
Jon

Post Reply