Scripts - Security Considerations

• Feb 18, 2026
• 3 minutes to read

This document addresses security implications related to report scripts and describes how to negate security risks.

Important

Report scripts are not secure and are disabled by default. We recommend that you use expression bindings to customize your reports. Use scripts only if you trust your reports and you cannot switch to expression bindings.

Script Execution Mode

The default configuration for script execution mode is Deny. In this mode, the Report Designer hides the Scripts Editor and does not list script events in the Properties window. The Document Viewer does not run attached scripts when it opens a report.

The following report controls and API members support report scripts:

• WinForms Document Viewer and Report Designer
• WPF Document Preview and Report Designer
• Cross-platform print and export methods of the XtraReport class
• ASP.NET Web Forms Document Viewer and Report Designer
• ASP.NET MVC Document Viewer and Report Designer
• ASP.NET Core Document Viewer and Report Designer
• ASP.NET Blazor Server Document Viewer and Report Designer (JavaScript-Based)

Note

Blazor WebAssembly Reporting applications do not support scripts.

To activate report scripts, register a ScriptPermissionManager class instance at application startup. Pass ExecutionMode.Unrestricted as the constructor parameter. Note that in this mode users are at risk of running malicious code on their machines. Use Unrestricted mode in a trusted environment only.

Multi-User Environment Specifics

Your application may allow multiple users to access and modify the same report. Scripts specified by one user can run on the server or on another user’s client machine. To protect application users and yourself, we recommend that you remove script code from report definition files. To do this, set the XtraReport.ScriptsSource property to an empty string in the method that saves a report to your report storage.

• C#
• VB.NET

using DevExpress.XtraReports.Extensions;
using DevExpress.XtraReports.UI;
using System.IO;

class MyReportStorage: ReportStorageExtension {
    // ...
    public void SetData(byte[] reportBytes, string reportName){
        var reportLayout = ClearReportScripts(reportBytes);
        File.WriteAllBytes(reportName, reportLayout);
    }

    public byte[] ClearReportScripts(byte[] reportBytes) {
        using (var stream = new MemoryStream(reportBytes)) {
            var report = XtraReport.FromStream(stream);
            report.ScriptsSource = "";
            using (var streamToSave = new MemoryStream()) {
                report.SaveLayoutToXml(streamToSave);
                return streamToSave.ToArray();
            }
        }
    }
}

Imports DevExpress.XtraReports.Extensions
Imports DevExpress.XtraReports.UI
Imports System.IO

Class MyReportStorage
    Inherits ReportStorageExtension

    ' ...
    Public Sub SetData(ByVal reportBytes As Byte(), ByVal reportName As String)
        Dim reportLayout = ClearReportScripts(reportBytes)
        File.WriteAllBytes(reportName, reportLayout)
    End Sub

    Public Function ClearReportScripts(ByVal reportBytes As Byte()) As Byte()
        Using stream = New MemoryStream(reportBytes)
            Dim report = XtraReport.FromStream(stream)
            report.ScriptsSource = ""

            Using streamToSave = New MemoryStream()
                report.SaveLayoutToXml(streamToSave)
                Return streamToSave.ToArray()
            End Using
        End Using
    End Function
End Class