Intersoft Community - WebCombo

Webcombo Security issue

sphinxg@usa.net — Thu, 23 Nov 2023 12:11:16 GMT

Hi,

I am using Intersoft webcombo in my ASP.Net Web application.

I am checking the application security using the tool semgrep for SAST (Static Application Security Testing).

While testing I face the below errors. The JavaScript generated by the webcombo is causing the issue .

Please help me to solve these issues.

Files in which error occured:

· CoreValidator.js
· Core_DragDrop.js
· ISCore.js
· WebUIValidation.js
· WebCombo.js

Error Message 1:

javascript.browser.security.insecure-document-method.insecure-document-method User controlled data in methods like `innerHTML`, `outerHTML` or `document.write` is an anti-pattern that can lead to XSS vulnerabilities

... e.innerHTML=v;WC40Engine.InvalidateResultBox(f);return v},WriteCOLs:function(f,d){var e="";if(f.LayoutSettings.ComboMode=="MultipleColumns"){var a= ...

... b.innerHTML="<nobr>"+l.Text+"</nobr>"}}else{var h=p.Columns;for(var k=0;k<h.length;k++){var f=h[k];if(f.Hidden&&!f.RenderOnHidden){continue}var q=f ...

Error Message 2:

javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp RegExp() called with a `e` function argument, this might allow an attacker to cause a Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread. For this reason, it is recommended to use hardcoded regexes instead. If your regex is run on user-controlled input, consider performing input validation or use a regex checking/sanitization library such as https://www.npmjs.com/package/recheck to verify that the regex does not appear vulnerable to ReDoS.

…RegExp(c.Pattern,"img");g=c.NewValue.match(re);if(g==null){c.NewValue=c.NewValue.replace(new RegExp("\\s+","g"),"");g=c.NewValue.match(re)}if(g== ...

Error Message 3:

javascript.browser.security.eval-detected.eval-detected Detected the use of eval(). eval() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.

al(this.getAttribute(name))}}}},_EmulateSelectionModel:function(){Object.defineProperty(HTMLDocument.prototype,"selection",{get:function(){return w ...

Error Message 4:

javascript.lang.security.audit.incomplete-sanitization.incomplete-sanitization `h.replace` method will only replace the first occurrence when used with a string argument ("$"). If this method is used for escaping of dangerous data then there is a possibility for a bypass. Try to use sanitization library instead or use a Regex with a global flag.

replace("$","\\s*\\"+i+"\\s*")}else{if(j=="percent"){h=h.replace(i,"\\s*\\"+i+"\\s*")}}h="(?:^"+h.replace(new RegExp("\\s*","g"),"")+"$)";return h} ...

With Regards,

Giridhar JG

Regarding XSS issue faced in the web combo.

sphinxg@usa.net — Tue, 01 Aug 2023 08:33:32 GMT

Hi,

We are facing the below mentioned security issue in one of our client environments.

A significant portion of the XSS test payload appeared in the web page, but the page's DOM was not modified as expected for a successful exploit. This result was manually verified to determine its accuracy.

Kindly find the attached screenshots for reference(Request and Response).

Kindly help us to resolve the same

Thanks in advance.

Regarding XSS issue faced in the web combo.

sphinxg@usa.net — Tue, 01 Aug 2023 08:31:46 GMT

Hi,

We are facing the below mentioned security issue in one of our client environments.

Kindly find the attached screenshots for reference(Request and Response).

Kindly help us to resolve the same

Thanks in advance.

Regarding XSS issue faced in the web combo.

sphinxg@usa.net — Tue, 01 Aug 2023 08:31:45 GMT

Hi,

We are facing the below mentioned security issue in one of our client environments.

Kindly find the attached screenshots for reference(Request and Response).

Kindly help us to resolve the same

Thanks in advance.

Regarding XSS issue faced in the web combo.

sphinxg@usa.net — Tue, 01 Aug 2023 08:30:25 GMT

Hi,

We are facing the below mentioned security issue in one of our client environments.

Kindly find the attached screenshots for reference(Request and Response).

Kindly help us to resolve the same

Thanks in advance.

File versions between 2016 R1 and 2017 R1

fbadev — Tue, 11 Jun 2019 15:39:10 GMT

Hello,

I upgraded Intersoft WebUI package from 2016 R1 to 2017 R1. After upgrade, I realized there was an odd issue on file versions. The last release must has higher minor version number but on this issue, the previous release has higher minor version number. Matched list between two different versions listed below.

2016 R1 ISNet.WebUI.WebCombo.dll 7.0.7200.280

2017 R1 ISNet.WebUI.WebCombo.dll 7.0.7200.276

2016 R1 ISNet.dll 3.0.5000.978

2017 R1 ISNet.dll 3.0.5000.975

Component not render

peppecar — Thu, 04 Apr 2019 14:14:57 GMT

Hi to all,

i'm running a project migrated from Visual 2008 to Visual Studio 2017 and i have a problem with Intersoft Components. The component is not rendered. The WebCombo present this layout(see attach file).

Can you help me, please?

Thanks

Giuseppe

Regarding Behaviour of WebCombo in iOS Devices

sphinxg@usa.net — Mon, 11 Mar 2019 12:26:06 GMT

Hi,

We are using WebCombo 7

On Android device (Tablet), we have called a web page with webcombo and we are able to search suggestion and from the suggestion we are able to select the value

But on IOS ddevice (IPAD IOS version 9.0) webcombo search suggestion list is showing and the typed text is shown inside suggestion list so that it overlaps and we unable view typed text.

In IOS devices (IPhone IOS version 12.1) webcombo search suggestion list is shown below iOS Keypad. So the typed text cannot be viewed and couldn't select the suggestion list due to keyboard overlapped on suggestion list. And also control auto scrolled when typing search text. so that we unbale to select the search suggestion list.

Thanks in Advance

Webcombo (Multiselect Option with Checkbox)

sphinxg@usa.net — Mon, 29 Jan 2018 08:24:11 GMT

Hi,

We are using webcombo (multiselect option with checkbox). We are binding around 60000 records. The page is not loading. Kindly let us know on how to accompolish the same.

Thanks

Reg: WebCombo Typing, Filtering & Select All option in multiselect web combo

sphinxg@usa.net — Fri, 19 Jan 2018 06:07:22 GMT

Hi,

We are using Intersoft WebCombo with multiselect functionality.

If TextBoxMode="Editable" then the checkbox is not showing and selection change event is fired for every value selected. If the TextBoxMode="ReadOnly" then checkboxes are shown and we are able to select multiple values but the we are not able to type any text for filtering the data.

Following is our requirement

1. We need provision to type some text.

2. Select all the records/part of records from the filtered data.

3. Selection change event has to be fired after selecting the filtered records.

Kindly let us know if any option is available for achieving the above functionality.

Thanks