cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Community Tip - You can change your system assigned username to something more personal in your community settings. X

JavaScript Injection

Go to solution
SS_9584798
2-Guest
2-Guest
‎Mar 10, 2022 07:30 AM
‎Mar 10, 2022 07:30 AM

JavaScript Injection

Hi All,

We are trying to add functionality to the advanced grid widget where double clicking a cell would copy to clipboard whatever is contained in the cell.
What would be the security risk of adding javascript to the page if that code is not being run on the server side, and only on the client side.
How would this be any different from someone running code through the inspect tool of their browser?

Other useful scenarios would be to do client-side processing for manipulating the DOM without constant calls back to the server to run services.

Thanks in Advance.

Thanks,

Sakshi Sikarwar

Labels:
0 Kudos
Notify Moderator
1 ACCEPTED SOLUTION

Accepted Solutions
BogdanM
8-Gravel
8-Gravel
(To:SS_9584798)
‎Mar 11, 2022 05:49 AM
‎Mar 11, 2022 05:49 AM

Realistically, the security risk of such code depends on what you write; as long as you have control over what gets executed (e.g. don't load arbitrary code, don't allow end users to input code) and the code that you write is secure you should be fine. On the client side, the major issue is with executing unintended code. As you pointed out, if there would be any inherent risk in executing code on the client side generally, a bad actor would just be able to open the inspector and exploit it. This is why it's very important to perform the proper validation and set up the appropriate access control on the backend side.

 

For adding code to your mashups, you might be interested in this widget. Another alternative would be for you to write a widget containing the code that you want to run.

 

Be aware that, outside of the expression and validator functions, ptc doesn't really support this use case as far as I know, so the support teams might not be able to help if you run into issues with your custom code.

View solution in original post

0 Kudos
Notify Moderator
1 REPLY 1
BogdanM
8-Gravel
8-Gravel
(To:SS_9584798)
‎Mar 11, 2022 05:49 AM
‎Mar 11, 2022 05:49 AM

Realistically, the security risk of such code depends on what you write; as long as you have control over what gets executed (e.g. don't load arbitrary code, don't allow end users to input code) and the code that you write is secure you should be fine. On the client side, the major issue is with executing unintended code. As you pointed out, if there would be any inherent risk in executing code on the client side generally, a bad actor would just be able to open the inspector and exploit it. This is why it's very important to perform the proper validation and set up the appropriate access control on the backend side.

 

For adding code to your mashups, you might be interested in this widget. Another alternative would be for you to write a widget containing the code that you want to run.

 

Be aware that, outside of the expression and validator functions, ptc doesn't really support this use case as far as I know, so the support teams might not be able to help if you run into issues with your custom code.

0 Kudos
Notify Moderator
Top Tags