Gantt doesn't provide any means of preventing an application from various threats, such as SQL injections or XSS and CSRF attacks. It is important that responsibility for keeping an application safe is on the developers implementing the application. The backend must properly validate/escape/cleanse incoming data, user access rules, etc.
Please note that the client-side validation can be easily compromised or bypassed completely, thus it can't be relied on as a security means. It is aimed to give a user an immediate feedback in case of an erroneous input, without having to wait a server response, while the final validation should be done on the server.
Here we highlight the most common types of attack and show possible ways to avoid them. Usually, just implementing the backend CRUD according to the best practices of your platform will be good enough.
Possible vectors for XSS attacks are unsafe CRUD implementation on the backend, Gantt template functions and user input via UI:
As for template functions and the lightbox listed below, they can only pose a threat, if you don't clean your data on the server. Note that securing the backend is usually enough to prevent possible XSS attacks, and vice versa, no client-side measures will be effective if the backend is not secure.
dhtmlxGantt is a 100% client-side component, thus SQL injections have to be prevented on the backend by the developer.
There are two points to consider:
Thus you'll need to have some kind of SQL injections escaping on your backend. If you use dhtmlxConnector and specify a table configuration as shown in the related documentation, all values will be escaped automatically. Otherwise, you'll have to use a safe CRUD implementation, according to the good practices of the platform you use. Implementations shown in the how to start guides should be safe in terms of SQL injections.
If you use dhtmlxConnector on the backend, CSRF security can be enabled in the connector configuration. See the details in the related article.
Otherwise, you'll have to handle it manually. Please check this article for adding custom tokens of headers to a request sent by Gantt to the backend.
The library provides a special config that allows you to adjust the code of your application created with dhtmlxGantt to comply with the CSP (Content Security Policy) standard. It helps preventing various code injection attacks and improve the safety of application.
Read more about applying the CSP standard to a dhtmlxGantt application.
Back to top