WebService Load on demand combobox

Progress® Telerik® UI for ASP.NET AJAX Feedback Portal

Create an account Log In

Back to Feed

Request a Feature Report a Bug

Unplanned

Last Updated: 02 Jan 2020 16:45 by ADMIN

Patrik Madliak

Created on: 23 Jul 2019 06:31

Category: ComboBox

Type: Bug Report

WebService Load on demand combobox - XSS issue

In WebService binding scenario, the text of the items is not encoded and HTML code might get executed.

In Server-side Load on Demand binding this is not observed.

The following code can be used as a temporary workaround for WebService binding scenario:

<script type="text/javascript">
    Telerik.Web.UI.RadComboBoxItem.prototype._renderItemContent = function (d) {
        if (this.get_imageUrl()) {
            this._renderImage(d);
        }

        //https://stackoverflow.com/questions/6234773/can-i-escape-html-special-chars-in-javascript
        function escapeHtml(unsafe) {
            return unsafe
                    .replace(/&/g, "&amp;")
                    .replace(/</g, "&lt;")
                    .replace(/>/g, "&gt;")
                    .replace(/"/g, "&quot;")
                    .replace(/'/g, "&#039;");
        }

        d[d.length] = escapeHtml(this.get_text());
    }
</script>