3

Free jqgrid uses setting

autoencode: true

grid definition contains:

                $grid.jqGrid({
                    url: '/admin/API/Entity',
                    datatype: "json",
                    editurl:'/admin/Detail/Edit'

In inline edit <a character is entered to Nimetus column and data is posted to server in url-encoded format.

Request URL:http://localhost:52216/admin/Detail/Edit?_entity=DokG&_dokumnr=135322&_vmnr=0
Request Method:POST
Status Code:490 OK
Response Headers
view source
Cache-Control:private, s-maxage=0
Content-Length:122
Content-Type:application/json; charset=utf-8
Date:Mon, 23 Nov 2015 15:31:54 GMT
Server:Microsoft-IIS/10.0
X-AspNet-Version:4.0.30319
X-SourceFiles:=?UTF-8?B?STpccmFhbWF0XEVldmFXZWJcRWV2YS5FcnBcRGV0YWlsXEVkaXQ=?=
Request Headers

POST /admin/Detail/Edit?_entity=DokG&_dokumnr=135322&_vmnr=0 HTTP/1.1
Host: localhost:52216
Connection: keep-alive
Content-Length: 1724
Accept: */*
Origin: http://localhost:52216
X-Requested-With: XMLHttpRequest

Query String Parameters

_entity:DokG
_dokumnr:135322
_vmnr:0
Form Data
view parsed
Kogus=&Nimetus=%3Ca&Mootyhik0_nimetus=&Hinnak=&Hind=&Myygikood=&_rowsum=0.00&Rtellimus=&Toode=&Kulukonto=&Yhik=&Id=0&Dokumnr=135322&Reanr=3&_oper=edit&_rowid=1648&_dokdata=%5B%7B%22name%22%3A%22Klient0_nimi%22%2C%22value%22%3A%22%22%7D%2C%7B%22name%22%3A%22Tasudok%22%2C%22value%22%3A%22%22%7D%2C%7B%22name%22%3A%22Kuupaev%22%2C%22value%22%3A%222015-11-23%22%7D%2C%7B%22name%22%3A%22Kellaaeg%22%2C%22value%22%3A%2217+29%22%7D%2C%7B%22name%22%3A%22Maksetin1_tingimus%22%2C%22value%22%3A%22%22%7D%2C%7B%22name%22%3A%22Tarnekla2_nimetus%22%2C%22value%22%3A%22%22%7D%2C%7B%22name%22%3A%22Konto3_tekst%22%2C%22value%22%3A%22112%22%7D%2C%7B%22name%22%3A%22Yksus%22%2C%22value%22%3A%22%22%7D%2C%7B%22name%22%3A%22Tasukuup%22%2C%22value%22%3A%22%22%7D%2C%7B%22name%22%3A%22Knr%22%2C%22value%22%3A%2213111%22%7D%2C%7B%22name%22%3A%22Alamdok4_nimetus%22%2C%22value%22%3A%22ASL%22%7D%2C%7B%22name%22%3A%22Raha%22%2C%22value%22%3A%22EUR%22%7D%2C%7B%22name%22%3A%22Eimuuda%22%2C%22value%22%3A%22false%22%7D%2C%7B%22name%22%3A%22Prladu5_laonimi%22%2C%22value%22%3A%221%22%7D%2C%7B%22name%22%3A%22Krdokumnr%22%2C%22value%22%3A%22%22%7D%2C%7B%22name%22%3A%22Tekst1%22%2C%22value%22%3A%22%22%7D%2C%7B%22name%22%3A%22Pais7obj%22%2C%22value%22%3A%22%22%7D%2C%7B%22name%22%3A%22Klient%22%2C%22value%22%3A%22%22%7D%2C%7B%22name%22%3A%22Maksetin%22%2C%22value%22%3A%22%22%7D%2C%7B%22name%22%3A%22Tarneklaus%22%2C%22value%22%3A%22%22%7D%2C%7B%22name%22%3A%22Arvekonto%22%2C%22value%22%3A%22112%22%7D%2C%7B%22name%22%3A%22Oper%22%2C%22value%22%3A%22ASL%22%7D%2C%7B%22name%22%3A%22Laonr%22%2C%22value%22%3A%221%22%7D%2C%7B%22name%22%3A%22Dokumnr%22%2C%22value%22%3A%22135322%22%7D%2C%7B%22name%22%3A%22Kinnitatud%22%2C%22value%22%3A%22False%22%7D%5D

ASP.NET MVC4 controller uses reflection to call method which reads this value using ControllerContext.HttpContext.Request.Form["Nimetus"]

This access causes exception

System.Web.HttpRequestValidationException was unhandled by user code

  Message=A potentially dangerous Request.Form value was detected from the client (Nimetus="<a").

Exception occurs at line

ControllerContext.HttpContext.Request.Form["Nimetus"]

How to fix the issue ?

Edit controller method signature is

[AcceptVerbs(HttpVerbs.Post)]
[HandleJsonException]
public JsonResult Edit(string _entity, string _dokdata, int? _dokumnr, string _rowid,
    int? _vmnr, string _isik)

Update

Document header data is passed as _dokdata parameter using

    extraparam: { _dokdata: getEevaFormData },

in

   $.extend(true,$.jgrid.inlineEdit, {
        position: "beforeSelected",
        focusField: false,
        restoreAfterError: false,
        afterrestorefunc: function(rowId) {
            updateButtonState($grid, rowId);
            setFocusToGrid();
            lastSelectedRow = undefined;
        },
        aftersavefunc: function(rowId, response) {

            afterSaveFuncAfterAdd.call(this, rowId, response);

        },

        oneditfunc: function(rowId) {
            onInlineEdit(rowId);
            updateButtonState($grid, rowId);
        },
        keys: true,
        rowID: '_empty',
        useDefValues: true,
        extraparam: { _dokdata: getEevaFormData },
        errorfunc: errorfunc
    });

Controller _dokdata parameter contains now function definition with " replaced to &quot;

function getEevaFormData() {
    return JSON.stringify($(&quot;#_form&quot;).serializeArray());
}

Actually it should contain json string which is result this function call

Andrus
  • 26,339
  • 60
  • 204
  • 378
  • your content has any < > tags ?? – Arunprasanth K V Nov 22 '15 at 18:17
  • @ArunprasanthKV . I havent found <> character in request. I updated question and added request copied from chrome developer tools. Since it looks like there are no <> characters, it is not duplicate. – Andrus Nov 22 '15 at 18:25
  • i mean you are given some data to grid that data contains any tags that will allow cross script attack ? – Arunprasanth K V Nov 22 '15 at 18:27
  • jqGrid receives json data from MVC4 Web API controller and it encodes it to json properly. Question is about data which jqgrid **sends** to MVC controller back on save – Andrus Nov 22 '15 at 18:30
  • How you defined the column `Nimetus`? Which editing mode you use?Which is exact test case? I tried to reproduce the problem using [the demo](http://www.ok-soft-gmbh.com/jqGrid/OK/test1.htm) (I have no backend component with URL `"dummy"`, which I use in `editurl`, but I examine the data posted to the server using [Fiddler](http://www.telerik.com/fiddler)). I see that the column, which have `'` in the original data or if the value `'` included during editing, will be always send as `name='` to the server. No encoding. – Oleg Nov 22 '15 at 19:54
  • @Andrus: [The changes](https://github.com/free-jqgrid/jqGrid/commit/ad112457b8c200d671662d794e66cc9450616eff) could be the reason of your problem. `htmlEncode` now encodes `'` and `/` to `'` and `/`, but `htmlDecode` do the same encoding back. I can't reproduce the problem, but I can only guess that you made some **additional data encoding** of your data because of the last changes you have side effects. If you provide clear demo, which demonstrates that the changes in `htmlEncode` and `htmlDecode` are wrong, I would implement the fix in free jqGrid. – Oleg Nov 22 '15 at 20:09
  • @Oleg Nimetus is defined as `{"label":"Nimetus","name":"Nimetus","index":"Nimetus","editoptions":{"maxlength":50,"size":50,"dataEvents":[],"readonly":"readonly","disabled":"disabled"},"editable":true,"width":226,"classes":"jqgrid-readonlycolumn","hidden":false,"searchoptions":{"sopt":["cn","eq","ne","lt","le","gt","ge","bw","ew","nc"]},"stype":"text"}` The issue occurs both in form and inline edit modes. Is it OK If I provide URL to you which reproduces the issue. In older jqgrid the issue does not occur. It occurs in some rows and for some other characters also. – Andrus Nov 22 '15 at 20:26
  • @Andrus: Yes I can test/debug the issue. You can send me URL via email with the test case. Please use [URLs from RawGit](https://github.com/free-jqgrid/jqGrid/wiki/Access-free-jqGrid-from-different-CDNs#access-githib-code-from-rawgit) in the demo. It I would find the problem and post the fix to GitHub, the demos will be fixed too. – Oleg Nov 22 '15 at 20:31
  • @Oleg I updated question and provided correct nimetus definion. Definition in comment was a little wrong but problably this is not the issue because there is nothing special in definition. – Andrus Nov 22 '15 at 20:34
  • @Andrus: Sorry, but I can verify whether a bug exist in the latest version of free jqGrid if I would have the demo which reproduce the problem and which I can debug. I posted the [the URL](http://www.ok-soft-gmbh.com/jqGrid/OK/test1.htm) to the simple demo where I tried to reproduce the problem, but free jqGrid send `'` in non-encoded form in both form and inline editing. I can't help you without your demo. I wrote before that I suppose that *your code* could have some unneeded call of `htmlEncode`. – Oleg Nov 22 '15 at 20:46
  • @Oleg I searched solution for htmlEncode but havent found its usage from my javascript. I started to create rawgit based demo but got exception `The URL 'http://rawgit.com/free-jqgrid/jqGrid/master/css/ui.jqgrid.css' is not valid. Only application relative URLs (~/url) are allowed.` at line `bundleMain.Include(virtualPaths)` – Andrus Nov 22 '15 at 21:04
  • @Andrus: The URLs `http://rawgit.com/free-jqgrid/jqGrid/master/css/ui.jqgrid.css` and `http://rawgit.com/free-jqgrid/jqGrid/master/js/jquery.jqgrid.src.js` are do valid at me. You should just **not include the source in bundle**! One should not minimize the code. In any way I made changes in the code of free jqGrid. See my answer. I plan to publish new version of free jqGrid next week. Till the time you need just refresh the sources from GitHub. – Oleg Nov 22 '15 at 21:29
  • I was able to create github based demo and can provide url to you on your request. However after your changes in works now from github. – Andrus Nov 22 '15 at 21:48

1 Answers1

1

I reverted encoding of ' and / to &#x27; and &#x2F; made to in free jqGrid. See the commit with the description of the reason. I think the part of jqGrid need be changed, but I revert to the previous behavior now.

Oleg
  • 220,925
  • 34
  • 403
  • 798
  • Now duplicate keys are posted. I posted this at http://stackoverflow.com/questions/33969813/how-to-fix-duplicate-form-key-post-in-form-edit-after-free-jqgrid-upgrade – Andrus Nov 28 '15 at 09:42