Skip to main content

DevExpress v24.2 Update — Your Feedback Matters

Our What's New in v24.2 webpage includes product-specific surveys. Your response to our survey questions will help us measure product satisfaction for features released in this major update and help us refine our plans for our next major release.

Take the survey Not interested

Scripts - Security Considerations

  • 3 minutes to read

This document addresses security implications related to report scripts and describes how to negate security risks.

Important

Report scripts are not secure and are disabled by default. We recommend that you use expression bindings to customize your reports. Use scripts only if you trust your reports and you cannot switch to expression bindings.

#Script Execution Mode

The default configuration for script execution mode is Deny. In this mode, the Report Designer hides the Scripts Editor and does not list script events in the Properties window. The Document Viewer does not run attached scripts when it opens a report.

The following report controls and API members support report scripts:

Note

Blazor WebAssembly Reporting applications do not support scripts.

To activate report scripts, register a ScriptPermissionManager class instance at application startup. Pass ExecutionMode.Unrestricted as the constructor parameter. Note that in this mode users are at risk of running malicious code on their machines. Use Unrestricted mode in a trusted environment only.

#Multi-User Environment Specifics

Your application may allow multiple users to access and modify the same report. Scripts specified by one user can run on the server or on another user’s client machine. To protect application users and yourself, we recommend that you remove script code from report definition files. To do this, set the XtraReport.ScriptsSource property to an empty string in the method that saves a report to your report storage.

# [C#](#tab/tabid-csharp)

```csharp
using DevExpress.XtraReports.Extensions;
using DevExpress.XtraReports.UI;
using System.IO;

class MyReportStorage: ReportStorageExtension {
    // ...
    public void SetData(byte[] reportBytes, string reportName){
        var reportLayout = ClearReportScripts(reportBytes);
        File.WriteAllBytes(reportName, reportLayout);
    }

    public byte[] ClearReportScripts(byte[] reportBytes) {
        using (var stream = new MemoryStream(reportBytes)) {
            var report = XtraReport.FromStream(stream);
            report.ScriptsSource = "";
            using (var streamToSave = new MemoryStream()) {
                report.SaveLayoutToXml(streamToSave);
                return streamToSave.ToArray();
            }
        }
    }
}
```

# [VB.NET](#tab/tabid-vb)

```vb
Imports DevExpress.XtraReports.Extensions
Imports DevExpress.XtraReports.UI
Imports System.IO

Class MyReportStorage
    Inherits ReportStorageExtension

    ' ...
    Public Sub SetData(ByVal reportBytes As Byte(), ByVal reportName As String)
        Dim reportLayout = ClearReportScripts(reportBytes)
        File.WriteAllBytes(reportName, reportLayout)
    End Sub

    Public Function ClearReportScripts(ByVal reportBytes As Byte()) As Byte()
        Using stream = New MemoryStream(reportBytes)
            Dim report = XtraReport.FromStream(stream)
            report.ScriptsSource = ""

            Using streamToSave = New MemoryStream()
                report.SaveLayoutToXml(streamToSave)
                Return streamToSave.ToArray()
            End Using
        End Using
    End Function
End Class

```

***