The requested page is not available for the requested platform. You are viewing the content for Default platform.

Scripts Security

This document addresses security implications related to report scripts and describes how to negate security risks.

Important

Report scripts are not secure. We recommend that you use expression bindings instead to provide custom functionality to your reports. Enable scripts only if you trust your reports, and you cannot use expression bindings in your scenario.

Script Execution Modes

The table below lists the available script execution modes.

Execution Mode

Description

Enabled In

Deny

Denies script execution.

In this mode, the Report Designer does not provide the Scripts Editor and does not list script events in the Property Grid.

Unrestricted

Enables script execution at your own risk.

Restricted

Obsolete.

Use the Deny mode instead to ensure report security. Use the Unrestricted mode in a trusted environment only.

We recommend that you enable the Deny mode in any application to avoid potential security threats. To do this, register a ScriptPermissionManager class instance at application startup and pass the ExecutionMode.Deny value as the constructor parameter.

using DevExpress.XtraReports.Security;
// ...

ScriptPermissionManager.GlobalInstance = new ScriptPermissionManager(ExecutionMode.Deny);

Multi-User Environment Specifics

In a multi-user application, you can share your reports with other users. Reports scripts can be executed on your server machine and on users’ client machines. To protect other users and yourself, we recommend that you do the following:

  • Set the Deny script execution mode on all machines at application startup.

    using DevExpress.XtraReports.Security;
    // ...
    
    ScriptPermissionManager.GlobalInstance = new ScriptPermissionManager(ExecutionMode.Deny);
    
  • Remove script code from report definition files when saving them. For instance, set the XtraReport.ScriptsSource property to an empty string in your storage’s SetData method.

    using DevExpress.XtraReports.Extensions;
    using DevExpress.XtraReports.UI;
    using System.IO;
    
    class MyReportStorage: ReportStorageExtension {
        // ...
        public void SetData(byte[] reportBytes, string reportName){
            var reportLayout = ClearReportScripts(reportBytes);
            File.WriteAllBytes(reportName, reportLayout);
        }
    
        public byte[] ClearReportScripts(byte[] reportBytes) {
            using (var stream = new MemoryStream(reportBytes)) {
                var report = XtraReport.FromStream(stream);
                report.ScriptsSource = "";
                using (var streamToSave = new MemoryStream()) {
                    report.SaveLayoutToXml(streamToSave);
                    return streamToSave.ToArray();
                }
            }
        }
    }