Scripts - Security Considerations
- 3 minutes to read
This document addresses security implications related to report scripts and describes how to negate security risks.
Important
Report scripts are not secure. We recommend that you use expression bindings to customize your reports. Only enable scripts if you trust your reports and you are in a situation where you cannot use expression bindings.
Script Execution Modes
The following table lists the available script execution modes and their default values for each target platform:
Execution Mode | Description | Enabled In |
---|---|---|
Deny (Recommended) | Denies script execution. In this mode, the Report Designer hides the Scripts Editor and does not list script events in the Properties window. The Document Viewer opens the report and does not run the attached scripts. |
|
Unrestricted | Enables script execution at your own risk. |
|
Obsolete. Use the Deny mode instead to ensure report security. Use the Unrestricted mode in a trusted environment only. |
If you enable report scripts, users are at risk of running malicious code on their machines. In web applications, scripts are disabled out-of-the-box because scripts run on the server and the risk is higher.
We recommend that you enable the Deny mode in any application to avoid potential security threats. To do this, register a ScriptPermissionManager class instance at application startup and pass the ExecutionMode.Deny value as the constructor parameter.
ASP.NET MVC
using DevExpress.XtraReports.Security;
// ...
ScriptPermissionManager.GlobalInstance = new ScriptPermissionManager(ExecutionMode.Deny);
ASP.NET Core
using DevExpress.XtraReports.Security;
ScriptPermissionManager.GlobalInstance = new ScriptPermissionManager(ExecutionMode.Deny);
var builder = WebApplication.CreateBuilder(args);
// ...
Multi-User Environment Specifics
In a multi-user application, you can share your reports with other users. Reports scripts can run on server and client machines. To protect other users and yourself, we recommend that you do the following:
Set the Deny script execution mode on all machines at application startup.
Remove the script code from the report definition files when you save them. To do this, set the XtraReport.ScriptsSource property to an empty string in the method that saves the report in your report storage.
using DevExpress.XtraReports.Extensions; using DevExpress.XtraReports.UI; using System.IO; class MyReportStorage: ReportStorageExtension { // ... public void SetData(byte[] reportBytes, string reportName){ var reportLayout = ClearReportScripts(reportBytes); File.WriteAllBytes(reportName, reportLayout); } public byte[] ClearReportScripts(byte[] reportBytes) { using (var stream = new MemoryStream(reportBytes)) { var report = XtraReport.FromStream(stream); report.ScriptsSource = ""; using (var streamToSave = new MemoryStream()) { report.SaveLayoutToXml(streamToSave); return streamToSave.ToArray(); } } } }