cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

Community Tip - You can Bookmark boards, posts or articles that you'd like to access again easily! X

JavaScript Injection

SS_9584798
2-Explorer

JavaScript Injection

Hi All,

We are trying to add functionality to the advanced grid widget where double clicking a cell would copy to clipboard whatever is contained in the cell.
What would be the security risk of adding javascript to the page if that code is not being run on the server side, and only on the client side.
How would this be any different from someone running code through the inspect tool of their browser?

Other useful scenarios would be to do client-side processing for manipulating the DOM without constant calls back to the server to run services.

Thanks in Advance.

Thanks,

Sakshi Sikarwar

ACCEPTED SOLUTION

Accepted Solutions
BogdanM
12-Amethyst
(To:SS_9584798)

Realistically, the security risk of such code depends on what you write; as long as you have control over what gets executed (e.g. don't load arbitrary code, don't allow end users to input code) and the code that you write is secure you should be fine. On the client side, the major issue is with executing unintended code. As you pointed out, if there would be any inherent risk in executing code on the client side generally, a bad actor would just be able to open the inspector and exploit it. This is why it's very important to perform the proper validation and set up the appropriate access control on the backend side.

 

For adding code to your mashups, you might be interested in this widget. Another alternative would be for you to write a widget containing the code that you want to run.

 

Be aware that, outside of the expression and validator functions, ptc doesn't really support this use case as far as I know, so the support teams might not be able to help if you run into issues with your custom code.

View solution in original post

1 REPLY 1
BogdanM
12-Amethyst
(To:SS_9584798)

Realistically, the security risk of such code depends on what you write; as long as you have control over what gets executed (e.g. don't load arbitrary code, don't allow end users to input code) and the code that you write is secure you should be fine. On the client side, the major issue is with executing unintended code. As you pointed out, if there would be any inherent risk in executing code on the client side generally, a bad actor would just be able to open the inspector and exploit it. This is why it's very important to perform the proper validation and set up the appropriate access control on the backend side.

 

For adding code to your mashups, you might be interested in this widget. Another alternative would be for you to write a widget containing the code that you want to run.

 

Be aware that, outside of the expression and validator functions, ptc doesn't really support this use case as far as I know, so the support teams might not be able to help if you run into issues with your custom code.

Announcements


Top Tags