Unplanned
Last Updated: 28 Mar 2019 15:03 by ADMIN
Wesley
Created on: 17 Jan 2019 14:28
Category: ComboBox
Type: Bug Report
1
Possible XSS by executing JavaScript when CheckBoxes are enabled for RadComboBox

<telerik:RadComboBox runat="server" ID="CB" AllowCustomText="true" HighlightTemplatedItems="true" EnableViewState="false" CheckBoxes="true" EnableLoadOnDemand="true" OnItemsRequested="CB_ItemsRequested" ></telerik:RadComboBox>

Specifically, note that CheckBoxes is true.

In some cases, the combo box's  item's text may have HTML tags in them, but we don't want that HTML to be interpreted, and we're happy that RadComboBox automatically encodes the Item's name.  For example, the Item's text might be <img src=xxx onerror=alert(0)> , and of course we don't want that javascript to run. 

However, we have found a case where the text is not properly escaped, in which case the javascript does run and the alert popup shows.  The error is in RadComboBox.CheckBoxes.js, in the _checkedItemsTextsFitInputWidth function.  That function is passed the comma separated string of all the selected item's text.  This function wants to measure the width of the string, and so it creates a div off-screen, and then pushes the checkedItemTexts string into the div.  If the checkedItemTexts string contains any HTML tags that contain javascript, then that javascript is executed, which can be a XSS attack.

1 comment
ADMIN
Peter Milchev
Posted on: 17 Jan 2019 14:31
Hi Wesley,

Thank you for reporting this issue.

A temporary workaround can be overriding this function as follows: 

<script>
    var old = Telerik.Web.UI.RadComboBox.prototype._checkedItemsTextsFitInputWidth
    Telerik.Web.UI.RadComboBox.prototype._checkedItemsTextsFitInputWidth = function (elem) {
        var encodedElem = $telerik.encodeHtml(elem);
        return old.call(this, encodedElem);
    }
</script>

As a token of gratitude for helping us identify the issue, we have updated your Telerik points.

Regards,
Peter Milchev
Progress Telerik
Get quickly onboarded and successful with your Telerik and/or Kendo UI products with the Virtual Classroom free technical training, available to all active customers. Learn More.