When using RadEditor with the StripDomEventAttributes content filter enabled, script execution can still occur when switching from HTML to Design mode.
Certain HTML and SVG elements containing attributes such as onload, onclick, or href/to values that start with javascript: are not fully sanitized before the editor’s content is rendered in Design view. As a result, embedded script code can run during the mode transition even though the anti-script filter is active.
Reproduction steps:
Add a RadEditor with the default filters:
<telerik:RadEditor runat="server" ID="RadEditor1"
ContentFilters="DefaultFilters,StripDomEventAttributes">
</telerik:RadEditor>
- Load the page.
- Switch the editor to HTML mode.
- Paste any of the following samples (look below)
- Switch to Design view
- Watch alerts
<svg/onload=alert(1)><svg> <svg onload=alert(1)><svg> # newline char <svg onload=alert(1)><svg> # tab char <svg onload=alert(1)><svg> # new page char (0xc)
The Box Plot Chart throws the following errors when used:
RadHtmlChart.js:1 Uncaught ReferenceError: series is not defined Uncaught (in promise) ReferenceError: series is not defined
When SmallChange="1" and LargeChange="1" properties are equal, the Labels of the last RadSlider item are not centered on tick.
Code to reproduce:
<telerik:RadSlider RenderMode="Lightweight" runat="server" ID="RadSlider1"
Orientation="Horizontal" MinimumValue="0" MaximumValue="30"
Width="370px" Height="70px" ItemType="tick"
SmallChange="1" LargeChange="1">
</telerik:RadSlider>
Hi,
I am contacting you today to let you know I have found cross-site scripting vectors within the latest version of the RadEditor. I have attached images of the payloads that seem to bypass the XSS filter.
The second payload only works on Firefox browsers, but the first works on Chrome browsers too. While it still requires users to click on the link to trigger XSS, it can be easily social engineered in most situations.
- Wire up the onCommand client-side event to the grid
- Set the excel format to Biff
- Set the RenderMode to Lightweight
- Enable Sorting
<telerik:RadGrid ID="RadGrid2" runat="server" RenderMode="Lightweight" AllowSorting="true"> <ExportSettings> <Excel Format="Biff" /> </ExportSettings> <ClientSettings> <ClientEvents OnCommand="onCommand" /> </ClientSettings> <MasterTableView AutoGenerateColumns="True" CommandItemDisplay="Top"> <CommandItemSettings ShowExportToExcelButton="true" /> </MasterTableView></telerik:RadGrid>
While the Keyboard navigation is enabled, navigating through the items using the UP/DOWN arrows does mark the rows active, however, the active styles remain for the rows even if they aren't active anymore.
The issue happens when using the ActiveItemStyle element to define the styles (e.g. ForeColor, BackColor, etc.). Works as expected using the default styles.
Code to replicate the issue
<script runat="server">
protected void RadGrid1_NeedDataSource(object sender, GridNeedDataSourceEventArgs e)
{
(sender as RadGrid).DataSource = Enumerable.Range(1, 5).Select(x => new
{
OrderID = x,
OrderDate = DateTime.Now.Date.AddDays(x),
Freight = x * 0.1m,
ShipName = "Name " + x,
ShipCountry = "Country " + x
}).ToList();
}
</script>
<telerik:RadGrid ID="RadGrid1" runat="server" RenderMode="Lightweight" OnNeedDataSource="RadGrid1_NeedDataSource">
<ActiveItemStyle BackColor="Red" ForeColor="White" />
<ClientSettings AllowKeyboardNavigation="true">
</ClientSettings>
</telerik:RadGrid>
add LastModified column to the RadFileExplorer default control. developing a custom handler seems a bit excessive IMHO to view this important information.
Thanks,
emil
When loading a page configured with RadScriptManager, RadStyleSheetManager, and RadWindowManager using CDN and combined resources, a JavaScript runtime error occurs:
<telerik:RadScriptManager runat="server" ID="RadScriptManager1"
AsyncPostBackTimeout="500" EnablePageMethods="true"
EnableScriptCombine="true" LoadScriptsBeforeUI="true"
EnableCdn="true" CdnSettings-TelerikCdn="Enabled" CdnSettings-CombinedResource="Enabled"
EnableScriptLocalization="true"
EnableScriptGlobalization="true" />
<telerik:RadStyleSheetManager ID="RadStyleSheetManager1"
runat="server"
EnableStyleSheetCombine="true"
CdnSettings-TelerikCdn="Enabled" CdnSettings-CombinedResource="Enabled" />
<telerik:RadWindowManager runat="server" ID="radWindowManager" Style="z-index: 7001;" RenderMode="Lightweight" />
<telerik:RadWindow runat="server" ID="RadWindowRecommendUs" EnableViewState="false"
Behaviors="Close" VisibleOnPageLoad="false"
Width="300px" Height="590px"
InitialBehaviors="Pin" VisibleStatusbar="false" VisibleTitlebar="true" Modal="true" ReloadOnShow="true" Overlay="false" />
<telerik:RadWindow ID="RadWindowFacebookLoginCompleteDetails" runat="server"
Behaviors="Reload" Modal="true" VisibleStatusbar="false"
Width="720" Height="750"
IconUrl="/SITE/COMPONENTS/facebook/fb_icon_16X16.png"
/>
<telerik:RadAjaxLoadingPanel ID="LoadingPanel1" runat="server" Style="width: 100%; min-height: 250px;" /> The page should load without script registration conflicts.
Actual behavior:
The browser console shows an Uncaught Sys.InvalidOperationException, preventing proper execution of Telerik scripts.
Hi,
We are trying to upgrade our application to the latest Telerik UI for ASP.NET AJAX (2025.3.812) and we are experiencing an issue with spell check.
In the latest version words with a ' in them eg "Darren's" are flagged as a spelling mistake as "Darrenss" where the ' is replaced with the letter after it. Even if you click ignore it still replaces the original text with the version with the extra s.
The use of spell check is enforced in our application so this preventing us from upgrading.
You can reproduce the issue on the Telerik spell check demo page here:
https://demos.telerik.com/aspnet-ajax/spell/examples/overview/defaultcs.aspx
Can you please confirm if there is a work around or a fix available?
Thanks
When using a RadDropDownTree with CheckBoxes="CheckChildNodes" , setting CheckChildNodes="false" has no effect.
<telerik:RadDropDownTree ID="DdtDpt" runat="server" CheckBoxes="CheckChildNodes" CheckChildNodes="false" CheckNodeOnClick="true"
DataFieldParentID="pid" DataFieldID="id" DataTextField="name" DataValueField="id" Width="350px">
</telerik:RadDropDownTree>
protected void Page_Load(object sender, EventArgs e)
{
if (!IsPostBack)
{
DdtDpt.DataSource = GetDummyDepartments();
DdtDpt.DataBind();
}
}
private List<Department> GetDummyDepartments()
{
return new List<Department>
{
new Department { id = 1, pid = null, name = "Head Office" },
new Department { id = 2, pid = 1, name = "HR" },
new Department { id = 3, pid = 1, name = "IT" },
new Department { id = 4, pid = 3, name = "Development" },
new Department { id = 5, pid = 3, name = "Support" },
new Department { id = 6, pid = null, name = "Branch Office" },
new Department { id = 7, pid = 6, name = "Sales" },
new Department { id = 8, pid = 6, name = "Logistics" }
};
}
public class Department
{
public int id { get; set; }
public int? pid { get; set; }
public string name { get; set; }
}
When I set RadWindow property VisibleTitlebar="false" then top border is missing on window.
Here is sample code:
<telerik:RadWindow runat="server" ID="GenerateReportWaitWindow" Width="440px" Height="200px"
VisibleTitlebar="false" Modal="true" ReloadOnShow="false" VisibleStatusbar="false"
VisibleOnPageLoad="false" EnableShadow="false" Animation="Fade" Behaviors="None"
Title="Čakajte prosím...">
<ContentTemplate>
<div style="min-height: 66%;">
<div style="padding-top: 30px; padding-bottom: 45px; text-align: center; font-weight: bold;">
<asp:Label ID="Label4" runat="server">Prebieha vytváranie tlačovej zostavy. Čakajte prosím.</asp:Label>
<asp:Label ID="Label5" runat="server">(V závislosti od počtu záznamov to môže trvať aj niekoľko minút...)</asp:Label>
<asp:Label ID="Label6" runat="server" ForeColor="Red" Style="display: none;"></asp:Label>
</div>
<div style="margin-left: auto; margin-right: auto; text-align: center;">
<asp:Image ID="Image2" runat="server" ImageUrl="~/Images/Animated/loading1.gif" />
</div>
</div>
</ContentTemplate>
</telerik:RadWindow>
Admin comment:
Actually there is 1px top border, but it is hard to be noticed. As a temporary solution, one can increase it via the following padding:
Copy Code
<style>
.RadWindow {
padding: 4px 5px 5px !important;
}
</style>
The issue reported previously - Uncaught TypeError: Cannot read properties of null (reading 'className') - is still present if setting the <compilation debug=”true”> in the web.config and EnableScriptCombine="false" in the ScriptManager.
Workaround - Toggle drop zone visibility or enable/disable it, using AsyncUpload OnClientFileUploaded and OnClientFileUploadRemoved events:
<div class="dropfile" style="height: 20px; width: 120px; background-color: red; display: block">
</div>
<telerik:RadAsyncUpload ID="fimFileImport" runat="server" DropZones=".dropfile" MaxFileInputsCount="1"
RenderMode="Lightweight" OnClientFileUploaded="OnClientFileUploaded" OnClientFileUploadRemoved="OnClientFileUploadRemoved" >
</telerik:RadAsyncUpload>
<script type="text/javascript">
function OnClientFileUploaded(sender, args) {
var maxFileCount = sender.get_maxFileCount();
var uploadedFilesLength = sender.getUploadedFiles().length;
if (maxFileCount === uploadedFilesLength) {
$telerik.$('.dropfile').hide();
}
}
function OnClientFileUploadRemoved(sender, args) {
var maxFileCount = sender.get_maxFileCount();
var uploadedFilesLength = sender.getUploadedFiles().length;
if (maxFileCount > uploadedFilesLength) {
$telerik.$('.dropfile').show();
}
}
</script>
Contact email: carlos.diaz@cenace.gob.mx