Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

jqgrid autoencode=true encode postdata

I'm trying to fix XSS vulnerabilities across my web application and I'm stuck with jqGrid.

I activated 'autoencode' for all my grids and the documentation says : "When set to true encodes (html encode) the incoming (from server) and posted data (from editing modules).".

My problem is that I don't understand why posted data are encoded. This way I'm getting html escaped text in my database. So this database is no more readable by an other application (or it has to decode all texts), and in addition database search doesn't work any more.

So, is it possible to only encode data retrieved from database and post data as it ? Currently, I disabled autoencode and added formatter on all my columns to escape all text. Is it the only way ?

like image 286
william Avatar asked Jun 28 '26 18:06

william


1 Answers

You can use serializeEditData (in case of usage form editing), serializeRowData (in case of usage inline editing) or serializeCellData (in case of usage cell editing) to change the data which will be send to the server during editing. To decode the data you can use for example $.jgrid.htmlDecode. You can enumerate all properties of posted data and decode the value of the corresponding property. Alternatively you can use decoding of posted data on the server side. Any technology which you use on the server provide simple method which can be used for decoding. For example in ASP.NET one can use HtmlDecode/HtmlEncode methods of HttpServerUtility.

like image 141
Oleg Avatar answered Jul 03 '26 23:07

Oleg



Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!