General Security Considerations

• Aug 03, 2020
• 3 minutes to read

This document describes how to avoid possible security risks when deploying your web reporting application.

Cross-site Scripting (XSS) Security

• Client-side reporting controls are protected against script injection. Property values are always encoded when they are exported to HTML.

• Web End-User Report Designer

  A user can add a “javascript:” prefix to the XRControl.NavigateUrl property value that allows the link to execute JavaScript code on the client and leaves other users vulnerable to cross-site scripting (XSS) attacks.

• Web Document Viewer

  ASPxDocumentViewer and ASPxWebDocumentViewer controls do not allow JavaScript code execution out-of-the-box. If your application relies on scripts in URLs, use the following properties to enable URLs with JavaScript:

  • ASPxWebDocumentViewer.AllowURLsWithJSContent
  • DocumentViewerReportViewerSettings.AllowURLsWithJSContent
  • WebDocumentViewerSettings.AllowURLsWithJSContent
  • HtmlExportOptionsBase.AllowURLsWithJSContent

Protect Sensitive Information

Ensure Authorized Access to Reports

To ensure that users have access only to authorized reports, do one of the following:

• Register a custom implementation of the IWebDocumentViewerReportResolver interface.
• Call the DefaultWebDocumentViewerContainer.UseReportStorageExtensionReportResolver method that delegates report name resolving logic to the registered ReportStorageWebExtension descendant.
• Register a custom implementation of the ICachedReportSourceWebResolver interface.

Avoid Sensitive Data Exposure Through Report URL

The Document Viewer uses the following methods to open a report from a URL:

• ASPxWebDocumentViewer.OpenReport(String)
• WebDocumentViewerExtension.Bind(String)

The specified URL goes to the client and can reveal the sensitive information, such as your application’s internal structure.

Make sure that the report URL does not contain sensitive information. You should implement authorization logic in the IWebDocumentViewerReportResolver and/or ICachedReportSourceWebResolver implementation.

Ensure Safe Image Loading from URL

To restrict unauthorized access to images on the server, the XRPictureBox.ImageUrl property does not accept the “file://“ protocol out-of-the-box (it accepts only “http://“, “https://“ and “ftp://“ protocols). The same rule applies to the XRRichText report control for images in the IncludePicture fields.

To allow the “file://“ protocol in image URLs, use the DevExpress.Security.Resources.AccessSettings class to apply access rules that allow image loading from the specified locations.

Protect Passwords on the Client Side

Passwords for PDF and Excel files with other export options are always passed in a POST request to exclude them from the browser history.

If users share a report, passwords specified for PDF and Excel files are not exposed in the Web Document Viewer. A user who has access to documents, exported by other users, cannot bypass password protection.

To pass PDF/Excel passwords, specified in the Report Designer, to the Web Document Viewer, call the DefaultWebDocumentViewerContainer.EnablePassingExportOptionsPasswordsToClient method.

Protect Passwords on the Server Side

The report definition (REPX) file stores PDF/Excel passwords in plain text. Ensure that only trusted parties have access to report definition files.

Disable Report Scripts

For security reasons the Web End-User Report Designer does not allow script execution, view, and edit out-of-the-box.

For information on how to enable scripts in the Web End-User Report Designer, review the following topic: Scripts Security.