Published 2007-10-19 20:43:00

Most of the fun development projects had to be put on hold over the last few months, due to good ole paying projects.

ExtJS security holes

The majority of my paid projects are now using ExtJS, (and one has now used ExtJS 2.0, which is a definite improvement in both features and design). But I did run into what I considered to be a rather serious problem. ExtJS by design is a XSS nightmare... so be careful.

Basically the grid component and a few of the other components are designed to use JSON data comming from the server and render the data it recieves onto a styled HTML table. The problem I discovered, was that rather than using DOM.createTextElement() or similar to render the data it recieves. It uses innerHTML. So data is not escaped in any way prior to rendering onto the page.

It was discovered while testing one of my first major products, A complete Spam/Mail control solution, I discovered that it was not rendering email addresses <someaddress@example.com> , due to the <> characters. I dug into the code and realized the XSS hole, and posted it as a bug on the extjs forum.

Unfortunately it appears that rather than regarding this as a huge hole, they would rather trust developers to read the fine print in the documentation about rendering data to the screen. Personally I would be embarrassed by this attitude on my project.. 'security is someone elses problem'.. but I guess that's their problem... - I have to keep security patches for extjs handy....


GtkDjs updates

I finally got a short time yesterday to update the code in Gtkjs to use the latest dmdscript source, overlayed with my JS2 stuff and language binding add-ons. It builds and runs all the test code in the test folder, and Walter fixed the closure issues alot cleaner than I had...

I've also updated the 'downloadFiles.sh' script so that It fetches the correct language HTML files for the generator. It appears that gnome has moved all the documentation around. (It also means the generated code is more in sync with newer releases of Gtk and the many extensions.)

Mailfort teaser..

As I mentioned above, I'm working heavily on a new product, Mailfort, anyone sending email to me, who I dont know, is likely to get a Identify confirmation email. We are currently testing with friends and family, along with a couple of companies, and hopefully more details will appear soon. But the teaser is that I've been working on Spam and mail control solutions for myself and a few clients, which has finally evolved in something generic enough that we can begin to sell. A number of my friends have been complaining about their Spam problems, so they are now slowly being introduced to the beta test product (with very positive feedback) so hopefully we will get the full website and product rolled out soon.


Mentioned By:
google.com : extJS php (449 referals)
google.com : php extjs (177 referals)
google.com : extjs (144 referals)
google.com : december (103 referals)
google.com : extjs security (84 referals)
google.com : extjs and php (59 referals)
google.com : extjs designer (56 referals)
google.com : april (53 referals)
google.com : extjs print (45 referals)
google.com : extjs print grid (44 referals)
google.com : Extjs with php (35 referals)
planet-php.org : Planet PHP (33 referals)
google.com : extjs xss (28 referals)
google.com : extjs grid php (27 referals)
google.com : extjs problems (27 referals)
google.com : extjs grid print (22 referals)
google.com : extjs php (20 referals)
google.com : php extjs grid (18 referals)
google.com : extjs php grid (16 referals)
google.com : extjs php (14 referals)

Comments

Software Engineer/Architect
RE: ExtJS security holes

Alan, thanks for bringing up the ExtJS security issue.

For those who are interested following the discussing here�s a link to the original ExtJS forum post
http://extjs.com/forum/showthread.php?t=13913

Personally I do not think an ExtJS grid component should be responsible for any type of escaping unless application functionality requires it. For example, server might send a valid IMG tag which should be rendered like an image without any escaping, right?
Of course in some cases escaping is necessary and you have plenty of methods how to do it: Ext.util.Format.stripTags on a client side or doing some server side escaping.
#0 - Andrew Bidochko ( Link) on 2007-10-20 00:07:27 Delete Comment

Add Your Comment