Is Javascript being stripped inside a report?

DNNCommunity / DNN.Reports

DNN Reports module provides a simple, flexible, view on your database, any table, any view and display results with plugin visualizers

MIT License

21 stars 25 forks source link

Is Javascript being stripped inside a report? #55

Closed mbuelsing closed 4 years ago

mbuelsing commented 5 years ago

Please summarize your question in one sentence

I have had javascript inside reports many times. This time the javascript is being stripped out.

Give a more extended description

Would prefer that JS was not stripped out.

Steps to reproduce (if needed)

Create a report and use html visualizer. Create an anchor tag in the html template with some js, for example, {a onclick="alert('hello world')"}xxxxx{/a} . View the report. The entire onclick and js is stripped out leaving just the {a}xxxxx{/a} behind.

Other comments or remarks

DNN 9.3.2 Reports 6.1.0

EPTamminga commented 5 years ago

The HTML template is indeed stripped from JS using the standard DNN-API routines. This was done by design to minimize security issues. I can imagine that this is a drawback. I will rethink it, to see if we can circumvent this.

stale[bot] commented 4 years ago

We have detected this issue has not had any activity during the last 180 days. That could mean this issue is no longer relevant and/or nobody has found the necessary time to address the issue. We are trying to keep the list of open issues limited to those issues that are relevant to the majority and to close the ones that have become 'stale' (inactive). If no further activity is detected within the next 21 days, the issue will be closed automatically. If new comments are are posted and/or a solution (pull request) is submitted for review that references this issue, the issue will not be closed. Closed issues can be reopened at any time in the future. Please remember those participating in this open source project are volunteers trying to help others and creating a better DNN Platform for all. Thank you for your continued involvement and contributions!

EPTamminga commented 4 years ago

Still relevant

mbuelsing commented 4 years ago

I can't upgrade this module to the latest version because it will break the functionality of my reports. There are many reports this way. Can we have a checkbox in the settings to disable the stripping?

EPTamminga commented 4 years ago

@mbuelsing I will remove the stripping in the next release.

I have updated my local dev enviroment to the latest version of DNN.Reports, processed outstanding PR's, but I have to look into 1 PR that has a conflict with the current code.

mbuelsing commented 2 years ago

@EPTamminga I have been running smoothly with the Reports module after your update to stop removing Javascript. However today I am seeing the same behavior again on Version 6.02.04. The following html is an example. Here is the html in the template.

[div][a href="javascript:dnnsf.api.actionForm.openPopupById('2194');"]Edit[/a][/div] [div][button onclick="dnnsf.api.actionForm.openPopupById('2194');"]Click me[/button][/div]

And here it is after the report is rendered.

[div][a href=" dnnsf.api.actionForm.openPopupById('2194');"]Edit[/a][/div] [div][butt]Click me[/butt][/div]

Is 6.02.04 stripping the JS or is something else at play?

Thank you for your work on this module.