Last Updated: 16 Dec 2021 16:05 by ADMIN
Release R1 2022
Created on: 17 Jan 2019 14:28
Category: ComboBox
Type: Bug Report
Possible XSS by executing JavaScript when CheckBoxes are enabled for RadComboBox

<telerik:RadComboBox runat="server" ID="CB" AllowCustomText="true" HighlightTemplatedItems="true" EnableViewState="false" CheckBoxes="true" EnableLoadOnDemand="true" OnItemsRequested="CB_ItemsRequested" ></telerik:RadComboBox>

Specifically, note that CheckBoxes is true.

In some cases, the combo box's  item's text may have HTML tags in them, but we don't want that HTML to be interpreted, and we're happy that RadComboBox automatically encodes the Item's name.  For example, the Item's text might be <img src=xxx onerror=alert(0)> , and of course we don't want that javascript to run. 

However, we have found a case where the text is not properly escaped, in which case the javascript does run and the alert popup shows.  The error is in RadComboBox.CheckBoxes.js, in the _checkedItemsTextsFitInputWidth function.  That function is passed the comma separated string of all the selected item's text.  This function wants to measure the width of the string, and so it creates a div off-screen, and then pushes the checkedItemTexts string into the div.  If the checkedItemTexts string contains any HTML tags that contain javascript, then that javascript is executed, which can be a XSS attack.

1 comment
Peter Milchev
Posted on: 17 Jan 2019 14:31
Hi Wesley,

Thank you for reporting this issue.

A temporary workaround can be overriding this function as follows: 

    var old = Telerik.Web.UI.RadComboBox.prototype._checkedItemsTextsFitInputWidth
    Telerik.Web.UI.RadComboBox.prototype._checkedItemsTextsFitInputWidth = function (elem) {
        var encodedElem = $telerik.encodeHtml(elem);
        return, encodedElem);

As a token of gratitude for helping us identify the issue, we have updated your Telerik points.

Peter Milchev
Progress Telerik
Get quickly onboarded and successful with your Telerik and/or Kendo UI products with the Virtual Classroom free technical training, available to all active customers. Learn More.