General Security Considerations

This document describes how to avoid possible security risks when deploying your web reporting application.

Important

See Reporting Security for more information on security considerations related to storing and distributing DevExpress reports.

Ensuring XSS Security

All reporting controls are protected against injecting and executing custom scripts on the client. The corresponding property values are always encoded on export to HTML.

Users of the End-User Report Designer for the Web can add a "javascript:" prefix to the XRControl.NavigateUrl property value, which allows the link to execute JavaScript code on the client, making other users vulnerable to cross-site scripting (XSS) attacks.

By default, JavaScript code execution is prohibited by the ASPxDocumentViewer and ASPxWebDocumentViewer controls. If your application relies on scripts in URLs, you can explicitly enable them using the following properties.

Protecting Sensitive Information

Ensuring Authorized Access to Reports

To ensure that users have access only to authorized reports, do one of the following:

Avoiding Exposure of Sensitive Information in Report URL's

The HTML5 Document Viewer opens reports using one of the following method calls that open a report by its URL:

  • ASPxWebDocumentViewer.OpenReport(String)
  • WebDocumentViewerExtension.Bind(String)

The specified URL is transmitted to the client thus exposing the information that might be within it, such as your application's internal structure.

Make sure that no sensitive information is present in a report URL. We also strongly recommend that you provide proper authorization logic in your IWebDocumentViewerReportResolver implementation.

Ensuring Safe Loading of Images from URL's

To restrict unauthorized access to images on the server, the XRPictureBox.ImageUrl property of the XRPictureBox report control does not accept the "file://" protocol by default (only "http://", "https://" and "ftp://" protocols are enabled). The same applies to the XRRichText report control when images are added using the IncludePicture field.

To enable using the "file://" protocol for loading images, set the UrlAccessSecurityLevelSetting.SecurityLevel property to one of the following UrlAccessSecurityLevel enumeration values:

Password Security on the Client Side

The PDF and Excel passwords specified for a report, along with other export options, are always passed in a POST request, preventing the exposure of these passwords in the browser history.

If users share a report, passwords specified for exported to PDF and Excel files will not be exposed in the Web Document Viewer. Should a user have access to documents exported by others, they will not be able to bypass password protection, if default password was used.

To enable passing PDF/Excel passwords specified in the Report Designer to the Web Document Viewer, call the DefaultWebDocumentViewerContainer.EnablePassingExportOptionsPasswordsToClient method of the DefaultWebDocumentViewerContainer class.

Password Security on the Server Side

If you save your report layout to a report definition (REPX) file, it will store PDF/Excel passwords in plain-text. Ensure that only trusted parties have access to report definition files.

Enabling Report Scripts

To make sure that your application properly implements script security, both the execution of all report scripts and the capability to view and edit scripts in the Web Report Designer are disabled by default.

Important

Be advised that report scripts are not secure and enable them only in a trusted environment.

To learn how to enable scripting in the Web Report Designer, see Scripts Security.