General Security Considerations
- 3 minutes to read
This document describes how to avoid possible security risks when deploying your web reporting application:
Important
See Reporting Security for more information on security considerations related to storing and distributing DevExpress reports.
Ensuring XSS Security
All reporting controls are protected against injecting and executing custom scripts on the client. The corresponding property values are always encoded on export to HTML.
Users of the End-User Report Designer for the Web can add a “javascript:” prefix to the XRControl.NavigateUrl property value, which allows the link to execute JavaScript code on the client, making other users vulnerable to cross-site scripting (XSS) attacks.
By default, JavaScript code execution is prohibited by the ASPxDocumentViewer and ASPxWebDocumentViewer controls. If your application relies on scripts in URLs, you can explicitly enable them using the following properties.
- ASPxWebDocumentViewer.AllowURLsWithJSContent
- DocumentViewerReportViewerSettings.AllowURLsWithJSContent
- WebDocumentViewerSettings.AllowURLsWithJSContent
- HtmlExportOptionsBase.AllowURLsWithJSContent
Protecting Sensitive Information
Ensuring Authorized Access to Reports
To ensure that users have access only to authorized reports, do one of the following:
- Register a custom implementation of the IWebDocumentViewerReportResolver interface.
- Call the DefaultWebDocumentViewerContainer.UseReportStorageExtensionReportResolver method that will delegate the report resolving logic to the currently registered ReportStorageWebExtension.
Avoiding Exposure of Sensitive Information in Report URL’s
The HTML5 Document Viewer opens reports using one of the following method calls that open a report by its URL:
- ASPxWebDocumentViewer.OpenReport(String)
- WebDocumentViewerExtension.Bind(String)
The specified URL is transmitted to the client thus exposing the information that might be within it, such as your application’s internal structure.
Make sure that no sensitive information is present in a report URL. We also strongly recommend that you provide proper authorization logic in your IWebDocumentViewerReportResolver implementation.
Ensuring Safe Loading of Images from URL’s
To restrict unauthorized access to images on the server, the XRPictureBox.ImageUrl property of the XRPictureBox report control does not accept the “file://“ protocol by default (only “http://“, “https://“ and “ftp://“ protocols are enabled). The same applies to the XRRichText report control when images are added using the IncludePicture field.
To enable using the “file://“ protocol for loading images, set the UrlAccessSecurityLevelSetting.SecurityLevel property to one of the following UrlAccessSecurityLevel enumeration values:
UrlAccessSecurityLevel.FilesFromBaseDirectory
Enables loading of images from an application’s working directory (defined by the AppDomain.CurrentDomain.BaseDirectory property).
-
Enables loading of images from custom directories (defined using the UrlAccessSecurityLevelSetting.RegisterCustomBaseDirectories or UrlAccessSecurityLevelSetting.RegisterCustomCallback method).
UrlAccessSecurityLevel.Unrestricted
Enables loading of any image from any directory.
Password Security on the Client Side
The PDF and Excel passwords specified for a report, along with other export options, are always passed in a POST request, preventing the exposure of these passwords in the browser history.
If users share a report, passwords specified for exported to PDF and Excel files will not be exposed in the Web Document Viewer. Should a user have access to documents exported by others, they will not be able to bypass password protection, if default password was used.
To enable passing PDF/Excel passwords specified in the Report Designer to the Web Document Viewer, call the DefaultWebDocumentViewerContainer.EnablePassingExportOptionsPasswordsToClient method of the DefaultWebDocumentViewerContainer class.
Password Security on the Server Side
If you save your report layout to a report definition (REPX) file, it will store PDF/Excel passwords in plain-text. Ensure that only trusted parties have access to report definition files.
Enabling Report Scripts
To make sure that your application properly implements script security, both the execution of all report scripts and the capability to view and edit scripts in the Web Report Designer are disabled by default.
Important
Be advised that report scripts are not secure and enable them only in a trusted environment.
To learn how to enable scripting in the Web Report Designer, see Scripting Security.