Skip to main content
BuyLog In
.NET Reporting Tools
Search in…
Docs > Detailed Guide to DevExpress Reporting > Reporting API > Use Report Scripts > Scripts Security
All docs
V23.2
Reporting
Product Information
.NET / .NET Core Support
Get Started with DevExpress Reporting
Create Different Report Types (Walkthroughs)
Detailed Guide to DevExpress Reporting
Introduction to Banded Reports
Bind Reports to Data
Use Report Controls
Use Report Parameters
Shape Report Data
Use Custom Fonts
Arrange Dynamic Report Contents
Customize Appearance
Add Navigation
Provide Interactivity
Add Extra Information
Merge Reports
Use Expressions
Store and Distribute Reports
Globalize and Localize Reports
Reporting API
Create a Report in Code
Use Report Scripts
Scripts Security
Scripts Overview
Scripts Tab - Visual Studio Report Designer
Debug Scripts in Visual Studio
Calculate Custom Summaries via Scripts
Handle Script Events of Report Elements
Handle Script Events to Calculate Custom Summaries
Handle Script Events at Runtime
Obsolete 'Restricted' Script Execution Mode
Use Helper Classes
Localize Reporting Applications
Security Considerations
Visual Studio Report Designer
VS Code Report Designer
Reporting for Desktop
Reporting for .NET MAUI
Reporting for Web
Cloud Integration
Cross-Platform .NET App UI
Backend Web API Service / REST API for Reporting
WCF Report Service
End-User Documentation
Redistribution and Deployment
API Reference
ASP.NET Core API Reference
Blazor API Reference
Client API Reference
Client API Reference (Web Forms & MVC)
Download CHM

Scripts Security

  • 3 minutes to read

This document addresses security implications related to report scripts and describes how to negate security risks.

Important

Report scripts are not secure. We recommend that you use expression bindings to customize your reports. Only enable scripts if you trust your reports and you are in a situation where you cannot use expression bindings.

Script Execution Modes

The following table lists the available script execution modes and their default values for each target platform:

Execution Mode

Description

Enabled In

Deny (Recommended)

Denies script execution.

In this mode, the Report Designer hides the Scripts Editor and does not list script events in the Properties window. The Document Viewer opens the report and does not run the attached scripts.

Unrestricted

Enables script execution at your own risk.

Restricted

Obsolete.

Use the Deny mode instead to ensure report security. Use the Unrestricted mode in a trusted environment only.

If you enable report scripts, users are at risk of running malicious code on their machines. In web applications, scripts are disabled out-of-the-box because scripts run on the server and the risk is higher.

We recommend that you enable the Deny mode in any application to avoid potential security threats. To do this, register a ScriptPermissionManager class instance at application startup and pass the ExecutionMode.Deny value as the constructor parameter.

ASP.NET MVC

using DevExpress.XtraReports.Security;
// ...

ScriptPermissionManager.GlobalInstance = new ScriptPermissionManager(ExecutionMode.Deny);

ASP.NET Core

using DevExpress.XtraReports.Security;

ScriptPermissionManager.GlobalInstance = new ScriptPermissionManager(ExecutionMode.Deny);

var builder = WebApplication.CreateBuilder(args);
// ...

Multi-User Environment Specifics

In a multi-user application, you can share your reports with other users. Reports scripts can run on server and client machines. To protect other users and yourself, we recommend that you do the following:

  • Set the Deny script execution mode on all machines at application startup.

    using DevExpress.XtraReports.Security;
// ...

ScriptPermissionManager.GlobalInstance = new ScriptPermissionManager(ExecutionMode.Deny);

  • Remove the script code from the report definition files when you save them. To do this, set the XtraReport.ScriptsSource property to an empty string in the method that saves the report in your report storage.

    using DevExpress.XtraReports.Extensions;
using DevExpress.XtraReports.UI;
using System.IO;

class MyReportStorage: ReportStorageExtension {
    // ...
    public void SetData(byte[] reportBytes, string reportName){
        var reportLayout = ClearReportScripts(reportBytes);
        File.WriteAllBytes(reportName, reportLayout);
    }

    public byte[] ClearReportScripts(byte[] reportBytes) {
        using (var stream = new MemoryStream(reportBytes)) {
            var report = XtraReport.FromStream(stream);
            report.ScriptsSource = "";
            using (var streamToSave = new MemoryStream()) {
                report.SaveLayoutToXml(streamToSave);
                return streamToSave.ToArray();
            }
        }
    }
}