Skip to main content
S
SS_95847981-Visitor
1-Visitor
March 10, 2022
Solved

JavaScript Injection

  • March 10, 2022
  • 1 reply
  • 1359 views

Hi All,

We are trying to add functionality to the advanced grid widget where double clicking a cell would copy to clipboard whatever is contained in the cell.
What would be the security risk of adding javascript to the page if that code is not being run on the server side, and only on the client side.
How would this be any different from someone running code through the inspect tool of their browser?

Other useful scenarios would be to do client-side processing for manipulating the DOM without constant calls back to the server to run services.

Thanks in Advance.

Thanks,

Sakshi Sikarwar

Best answer by BogdanM

Realistically, the security risk of such code depends on what you write; as long as you have control over what gets executed (e.g. don't load arbitrary code, don't allow end users to input code) and the code that you write is secure you should be fine. On the client side, the major issue is with executing unintended code. As you pointed out, if there would be any inherent risk in executing code on the client side generally, a bad actor would just be able to open the inspector and exploit it. This is why it's very important to perform the proper validation and set up the appropriate access control on the backend side.

 

For adding code to your mashups, you might be interested in this widget. Another alternative would be for you to write a widget containing the code that you want to run.

 

Be aware that, outside of the expression and validator functions, ptc doesn't really support this use case as far as I know, so the support teams might not be able to help if you run into issues with your custom code.

1 reply

B
BogdanM1-VisitorAnswer
1-Visitor
March 11, 2022

Realistically, the security risk of such code depends on what you write; as long as you have control over what gets executed (e.g. don't load arbitrary code, don't allow end users to input code) and the code that you write is secure you should be fine. On the client side, the major issue is with executing unintended code. As you pointed out, if there would be any inherent risk in executing code on the client side generally, a bad actor would just be able to open the inspector and exploit it. This is why it's very important to perform the proper validation and set up the appropriate access control on the backend side.

 

For adding code to your mashups, you might be interested in this widget. Another alternative would be for you to write a widget containing the code that you want to run.

 

Be aware that, outside of the expression and validator functions, ptc doesn't really support this use case as far as I know, so the support teams might not be able to help if you run into issues with your custom code.

Terms & ConditionsCookie settingsAccessibility statement