Scripts Security
- 3 minutes to read
This document addresses security implications related to report scripts and describes how to negate security risks.
Important
Report scripts are not secure. We recommend that you use expression bindings instead to provide custom functionality to your reports. Enable scripts only if you trust your reports, and you cannot use expression bindings in your scenario.
Script Execution Modes
The table below lists the available script execution modes and their default values for each target platform.
Execution Mode | Description | Enabled In |
---|---|---|
Deny | Denies script execution. In this mode, the Report Designer does not provide the Scripts Editor and does not list script events in the Properties window. |
|
Unrestricted | Enables script execution at your own risk. |
|
Obsolete. Use the Deny mode instead to ensure report security. Use the Unrestricted mode in a trusted environment only. |
We recommend that you enable the Deny mode in any application to avoid potential security threats. To do this, register a ScriptPermissionManager class instance at application startup and pass the ExecutionMode.Deny value as the constructor parameter.
using DevExpress.XtraReports.Security;
// ...
ScriptPermissionManager.GlobalInstance = new ScriptPermissionManager(ExecutionMode.Deny);
Multi-User Environment Specifics
In a multi-user application, you can share your reports with other users. Reports scripts can be executed on your server machine and on users’ client machines. To protect other users and yourself, we recommend that you do the following:
Set the Deny script execution mode on all machines at application startup.
Remove script code from report definition files when saving them. For instance, set the XtraReport.ScriptsSource property to an empty string in your storage’s SetData method.
using DevExpress.XtraReports.Extensions; using DevExpress.XtraReports.UI; using System.IO; class MyReportStorage: ReportStorageExtension { // ... public void SetData(byte[] reportBytes, string reportName){ var reportLayout = ClearReportScripts(reportBytes); File.WriteAllBytes(reportName, reportLayout); } public byte[] ClearReportScripts(byte[] reportBytes) { using (var stream = new MemoryStream(reportBytes)) { var report = XtraReport.FromStream(stream); report.ScriptsSource = ""; using (var streamToSave = new MemoryStream()) { report.SaveLayoutToXml(streamToSave); return streamToSave.ToArray(); } } } }