General Security Considerations
- 3 minutes to read
This document describes how to avoid possible security risks when deploying your web reporting application.
Important
See Reporting Security for more information on security considerations related to storing and distributing DevExpress reports.
Cross-site Scripting (XSS) Security
Client-side reporting controls are protected against script injection. Property values are always encoded when they are exported to HTML.
Web End-User Report Designer
A user can add a “javascript:” prefix to the XRControl.NavigateUrl property value that allows the link to execute JavaScript code on the client and leaves other users vulnerable to cross-site scripting (XSS) attacks.
Web Document Viewer
ASPxDocumentViewer and ASPxWebDocumentViewer controls do not allow JavaScript code execution out-of-the-box. If your application relies on scripts in URLs, use the following properties to enable URLs with JavaScript:
Protect Sensitive Information
Ensure Authorized Access to Reports
To ensure that users have access only to authorized reports, do one of the following:
- Register a custom implementation of the IWebDocumentViewerReportResolver interface.
- Call the DefaultWebDocumentViewerContainer.UseReportStorageExtensionReportResolver method that delegates report name resolving logic to the registered ReportStorageWebExtension descendant.
- Register a custom implementation of the ICachedReportSourceWebResolver interface.
Avoid Sensitive Data Exposure Through Report URL
The Document Viewer uses the following methods to open a report from a URL:
The specified URL goes to the client and can reveal the sensitive information, such as your application’s internal structure.
Make sure that the report URL does not contain sensitive information. You should implement authorization logic in the IWebDocumentViewerReportResolver and/or ICachedReportSourceWebResolver implementation.
Ensure Safe Image Loading from URL
To restrict unauthorized access to images on the server, the XRPictureBox.ImageUrl property does not accept the “file://“ protocol out-of-the-box (it accepts only “http://“, “https://“ and “ftp://“ protocols). The same rule applies to the XRRichText report control for images in the IncludePicture fields.
To allow the “file://“ protocol in image URLs, use the DevExpress.Security.Resources.AccessSettings class to apply access rules that allow image loading from the specified locations.
Protect Passwords on the Client Side
Passwords for PDF and Excel files with other export options are always passed in a POST request to exclude them from the browser history.
If users share a report, passwords specified for PDF and Excel files are not exposed in the Web Document Viewer. A user who has access to documents, exported by other users, cannot bypass password protection.
To pass PDF/Excel passwords, specified in the Report Designer, to the Web Document Viewer, call the DefaultWebDocumentViewerContainer.EnablePassingExportOptionsPasswordsToClient method.
Protect Passwords on the Server Side
The report definition (REPX) file stores PDF/Excel passwords in plain text. Ensure that only trusted parties have access to report definition files.
Disable Report Scripts
For security reasons the Web End-User Report Designer does not allow script execution, view, and edit out-of-the-box.
Important
Report scripts are insecure. Use expression bindings instead.
For information on how to enable scripts in the Web End-User Report Designer, review the following topic: Scripts Security.