xss injection in numberfield of paging toolbar in extjs

2
votes

I am having a security issue with extjs 6 paging toolbar for grid. i am able to inject xss script in numberfield of paging toolbar.

Following is the fiddle with a paging grid. grid Fiddle link

try pasting this code in the paging toolbar input field to replicate the issue : <img src=-x onerror="alert (0)";/>

I wish to stop this xss injection. Any help is greatly appreciated.

3
javascriptextjsextjs6extjs-grid

3 Answers

1
votes

one way to fix it is by changing the paging bar's numberfield input type to number. You'll have access to numberfield dom in afterrender.

dockedItems: [{
            xtype: 'pagingtoolbar',
            store: 'simpsonsStore', // same store GridPanel is using
            dock: 'bottom',
            displayInfo: true,
            listeners:{
                afterrender:function(pg){
                   pg.child('[xtype=numberfield]').getEl().dom.getElementsByTagName("input")[0].type='number';
                }
            }
        }]
0
votes

One option: The paging toolbar consists of a numberfield.

http://docs.sencha.com/extjs/6.0.1/classic/src/Paging.js.html

Add a listener to this field and check the input before processing.

0
votes

You can use regex for masking alphabets as number field will only contain number only.Check this.