Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
Protect MODx.grid.Grid against XSS vulnerabilities by default #14344
What does it do?
When a MODx.grid.Grid/MODx.grid.LocalGrid implementation does not define a renderer for a column, automatically add the Ext.util.Format.htmlEncode renderer which protects the grid from XSS vulnerabilities.
When a renderer is set, no action is taken, and the implementation is assumed to handle its own protections. This allows implementations to still do things like add links or buttons into grids.
Why is it needed?
The manager is very prone to XSS vulnerabilities. This has been discussed in different places, most notably #14094. In the past week, a lot of XSS-related issues were raised and also fixed, but those are all putting bandaids on the core problem, which is that ExtJS was not configured in a way to treat any value as potentially hostile user input.
This PR changes that and automatically escapes all values in grids, unless otherwise instructed. The PR also escapes values from a combobox that are rendered through an
That's also why this targets 3.x - while security issues would typically go into a bugfix release, it is likely that compatibility issues in both core and third party extras will surface where those grids took advantage of the lack of encoding to insert links/buttons/other html into values.
This does not fix all XSS issues in the manager, but it does stop a lot of them (like the list here).