Pending Review
Last Updated: 23 Jul 2019 06:31 by Patrik Madliak
Patrik Madliak
Created on: 23 Jul 2019 06:31
Category: ComboBox
Type: Bug Report
0
WebService Load on demand combobox - XSS issue

In WebService binding scenario, the text of the items is not encoded and HTML code might get executed. 

In Server-side Load on Demand binding this is not observed. 

The following code can be used as a temporary workaround for WebService binding scenario: 

<script type="text/javascript">
    Telerik.Web.UI.RadComboBoxItem.prototype._renderItemContent = function (d) {
        if (this.get_imageUrl()) {
            this._renderImage(d);
        }

        //https://stackoverflow.com/questions/6234773/can-i-escape-html-special-chars-in-javascript
        function escapeHtml(unsafe) {
            return unsafe
                    .replace(/&/g, "&amp;")
                    .replace(/</g, "&lt;")
                    .replace(/>/g, "&gt;")
                    .replace(/"/g, "&quot;")
                    .replace(/'/g, "&#039;");
        }

        d[d.length] = escapeHtml(this.get_text());
    }
</script>

0 comments