jqGrid autoencode does not work with add/edit popup

0
votes

I have a jqGrid with add/edit feature. To prevent cross site scripting, I use the autoencode feature. I look at the data being passed in the beforeSubmit and afterSubmit methods and I see the encoding working just fine. But when I close the popup by clicking save, the script executes anyways. The afterComplete method shows the script I had typed without any encoding.

The behavior can be replicated in the demo page too http://trirand.com/blog/jqgrid/jqgrid.html (Live data manipulation -> add/edit row)

Please let me know if there is something obvious I missed or if there any other ways I can prevent this scenario

1
javascriptjqueryjqgrid
Found a solution in case someone else runs into this issue Do not set autoencode to true but manually encode data in beforesubmit beforeSubmit: function(postdata, formid){ jQuery.each(postdata,function(n,v){ postdata[n] = jQuery('<div/>').text(v).html(); }); return[true, ""]; } (This is for 5.0.1 version) - user3865946

1 Answers

0
votes

I would don't recommend you to use old 4.6 version of jqGrid (used i). It has many old bugs, which don't are fixed in later versions of jqGrid. The demo uses for example, free jqGrid 4.13.6 with . You can easy verify, that one can place some code, like <script>alert("Hello!");</script> in the column Client, for example, data during form or inline editing without executing the script. The data will be saved locally in internal data as the string '<script>alert("Hello!");</script>', but the data will be encoded with respect of $.jgrid.htmlEncode before placing the data on the HTML page. As the result, no script executing will take place if autoencode: true is specified.