Greetings!

Description:

I have found a Cross-Site Scripting issue in the rich text editor, RadEditor. This is not in a body where user provides certain strings, rather it's in the text properties which gets sent along with the user input, such as font-style. The developers were able to follow the filtering mechanisms given in at https://docs.telerik.com/devtools/aspnet-ajax/controls/editor/managing-content/prevent-cross-site-scripting-(xss), but it provides protection for the inputs given in <textarea>, and for the properties values. Hence XSS is still possible

Steps for Reproduction:

1. Open up the text editor {{Screenshot 2020-09-23 at 12.08.51 PM.png}}

2. Input a string and change its font style.

3. Click on submit and intercept the request. {{Screenshot 2020-09-23 at 12.14.45 PM.png}}

4. Now we need to modify the request body for parameter of texteditor's ID. You may notice that the font-style is set and sent by using a <span>.

RadEditor1=%253cspan%20style%253d%2522font-family%253a%20%2527MS%20Sans%20Serif%2527%253b%2522%253etextexttext%253c%2Fspan%253e

Change parameter 'RadEditor1's value with the following:

RadEditor1=%253cspan%20onmouseover%253d%2522document.body.innerHTML%253d%2527ioioioioioioioioo%2527%252bdocument.cookie%2522%20style%253d%2522font-family%253a%20%2527MS%20Sans%20Serif%2527%253b%2522%253etextexttext%253c%2Fspan%253e

5. Submit and notice the 200 OK response. Now go to the text editor and notice that the string texttexttext can be seen. {{Screenshot 2020-09-23 at 12.24.18 PM.png}}

6. Put a mouse cursor on the string and notice that it gets changed to ioioioioioioioioo<domainCookies>.

##################

Please let me know if given information doesn't suffice the abilities for reproduction.

Thanks,

Dhiraj

There is some undesirable behavior that has been discovered by our users regarding APS.Net RadGrid when filtering with the checkbox list.  I have seen that the issue also happens on the Telerik Demo page found here and will use it as the example: https://demos.telerik.com/aspnet-ajax/grid/examples/functionality/filtering/basic-filtering/defaultcs.aspx

If you go to the last demo on that page (Filtering with Client-Side Binding) select the filter for Country.  When the checkbox items appear, click on an item, however do not click on the checkbox.  What happens is the dropdown closes and nothing happens.  The demo however is for cliet side binding which is does not postback to the server.  Our control is handled on the server-side so when this happens a request is sent and the user is presented with the loading circle which makes the user think something is actually happening, yet it is not.

I suggest that the behavior of clicking on an item, outside of the checkbox, checks the box and keeps the list open.

At the least, there should be no request that is sent to the server as the box was not actually checked with the current behavior.

I have attached an image with a red 'X' on where a user may click to reproduce this behavior.

Please provide option in scheduler to freeze rows in randomly 

Hi,
Please suggest me how can we show only working hour in timeline view in rad scheduler and hide non working hour. 

Currently in timeline view all 24 hour time slot is showing , but I want to show only working hour in time slot and hide rest of non working hour for there.

Screen shot for current view and desired view is attached below .

Hello, this is for the list of columns on the left side of the Gantt, called TreeListView. If it would be possible to add additional columns that we select or implement during data binding, for example: Duration, other dates, description, task type, and many others that the client will select dynamically, so they must not be a static list of columns. 

Thank you,
-Sam 

My objective is to compare product revenue over time. This I would like to achieve using data binding. I do not have information of product names or have the product names as columns. My data table structure is having three columns:

Date
Product Name
Revenue

This I should simply be able to achieve using data binding to a table with above three columns. 
In result I expect each of the Product Names to appear as independent series with revenues plotted on different dates.

A similar graph is displayed in the Line Chart documentation for RadHtmlChart.
https://docs.telerik.com/devtools/aspnet-ajax/controls/htmlchart/chart-types/line-chart

We have a RadGrid, which has a set of columns, lets say C1 to CN.
Some of those columns are invisible and can be made visible with the Columns context menu, your control provides.
Assume a column Ci, that is not visible now.

If there exists a visible column Cx with x > i, your control works as expected. The column spans of the headline are ok.
See GoodCase_Step.jpg

If there is no visible column Cx with x > i and Ci is switched visible, your column spans within the headline become completely invalid.
See BadCase.jpg_Step.jpg

We use Version 2017.3.913.45 of your library.

Thanks for your Support!

I have a RadGrid with around 150 columns and a few hundred rows. Currently, I'm looping over them and setting their widths with the resizeColumn function. Unfortunately, it's triggering a recalculation of the layout every time I call this function, so the total page load time can be in the minutes.

Oddly, much of the time was spent on the line:
e.style.width=e.offsetWidth-d+"px";

Chrome's developer tools helpfully pointed me at Forced Reflow. Apparently, when a width is set, initially no extra work is done. When another width is requested, the previous width may have changed it, so the whole layout gets recalculated.

The feature I'd like to request is a function to set column widths in bulk (accepting anything like an array or a dictionary would be fine) that doesn't trigger this recalculation mid-function.

I have a RadGrid with several thousand elements on it. In attempting to improve performance, the Visual Studio profiler informed me that it spent more than half of the request in PopulatePlainPanels checking whether something was in a list. (see attached before.png)

I changed the type of the variable plainPanelsClientIDs in RadAjaxControl.cs to be a HashSet<string> instead of a List<string>. As a knock-on effect, I had to import System.Linq into RadAjaxManager.cs to get the .toArray() call to work.

The result in the attached after.png shows the percentage of execution time dropped from 55% to 3%.

I'd appreciate it if the team would evaluate this change for inclusion in future releases.

Note 1: I have not done extensive testing on this, so I don't know what might break. The variable isn't referenced much, so the only thing I'm suspicious of is reflection, which I didn't check for and don't expect.
Note 2: If importing Linq is undesirable, a more manual conversion to an array can be done pretty easily.
Note 3: plainPanelsClientIDs is .add() 'ed to in two places, and both check for membership before being called. This shouldn't be necessary for a HashSet, which simply doesn't add if it's there. This seems a very minor improvement, but I didn't actually try it yet.

At the moment, RTL support for excel like filtering is not implemented. It displays the following issues

    - menu position is wrong (tends to show up on the column to the left)
    - controls alignment inside the menu is wrong (ltr)

You can find attached a sample and screenshots with the current behavior

The date pickers default to the year 1999 and do not accept inputs, so you cannot filter GridDateTimeColumn instances through the header context menu or the excel-like filtering. The standard filter item and range filter can still be used instead of context menus, but they are not available with excel-like filtering.

Problem with simple excel behavior.

In excel when you type a string longer than the cell, text is not clipped and shows over other cells.  Then, if you fill adjacent cell, text is then clipped.

I've been able to mimic this behaviour using this css:

.RadSpreadsheet .rssPane .k-spreadsheet-cell {
    overflow: visible !important;
  }

But then, If you highlite those cells with background color  the text is again clipped.  The background color wipe the text.

Attached is a small png to show the problem.

Please fix this to work as excel.  Users are complaining non stop.

Thanks.

When selecting an item with Enter key, the rawEvent propagation is not canceled and if a button with submit behavior is on the page, it is clicked.  https://www.screencast.com/t/sGVXL2baFj

Including this script to the page can be a temporary workaround: 
var _onEnterKeyOld = Telerik.Web.UI.RadComboBox.prototype._onEnterKey;
    Telerik.Web.UI.RadComboBox.prototype._onEnterKey = function (e) {
        _onEnterKeyOld.call(this,e);
        e.preventDefault()
    }

The current RadTileList TileGroup item is only settable as text.  Is it possible to modify this item to use a LayoutTemplate so that additional items could be added to the TileGroup area?

I think it would be a great addition to the grid control if there was an attribute that you could apply to the columns called "SortNullsLast" or something along those lines. This attribute would modify the grid's sorting functionality and only apply the ascending or descending sort to non-null values.

Currently when you sort ascending, null values are sorted to the top of the grid. This new attribute would allow the non-null values to show up at the top in ascending order.

An example of why this would be useful is having a grid that tracks an optional requested completion date of a task. You would want to be able to sort the grid so that the earliest date shows first in the grid. Right now, any records that don't have this optional date would show first, which doesn't make sense.

In the RadGantt, when using WebServices with the Gantt, there is no OnClientRequestEnd client side event.

We have a scenario where we're wanting to be able to track whether or not an insert/update event succeeded (and update a control elsewhere on our page if it did) or failed (and show an alert if it didn't). however there is currently no event handler for when WebService requests from the RadGantt have completed.

I would like to suggest that the Buttons in the RadGrid allow databinding to the CommandName and CommandArgument fields.  And pretty much all the buttons or anything that triggers an ItemCommand event that allow a CommandName and CommandArgument have their properties to be databound and accessible in the code behind.

Thanks!!!

For Bug Report :

Note: We are using MM/dd/yyyy as Internal Date format to prevent issue while inserting or updating value.

Steps to reproduce:
When we use dd-MM-yyyy and yyyy-dd-MM Date DisplayFformat for RadDatePicker/RadDateTimePicker control as well as view mode in Radgrid Batch Edit mode it's render behaviour is inconsistent
1. When dd is less than or equal to 12 then while rendering in edit mode Month and Date is interchanged
2. When dd is greather than 12 then while rendering in edit mode Month and Date is rendered correctly.

You would get something like

(([createddate] >= '01/08/2017,00:00:00') AND ([createddate] <= '14/08/2017,23:59:59'))

while you should get something like

(([createddate] >= '01/08/2017 00:00:00') AND ([createddate] <= '14/08/2017 23:59:59'))

so that the SQL syntax is valid.

RadGrid, does not send the FilterExpression to the SqlDataSource, however. It executes the SELECT statement and then filters the resulting data on its own. This works fine.

If you will be performing operations yourself, you could use a string operation before passing the filter expression. For example:

protected void RadGrid1_NeedDataSource(object sender, GridNeedDataSourceEventArgs e)
{
	if (!string.IsNullOrEmpty(this.RadGrid1.MasterTableView.FilterExpression))
	{
		if (this.RadGrid1.MasterTableView.FilterExpression.Contains("createddate"))
		{
			this.RadGrid1.MasterTableView.FilterExpression = this.RadGrid1.MasterTableView.FilterExpression.Replace(",", " ");
		}
		DataView dv =GetData("select * from [myTable] where ", this.RadGrid1.MasterTableView.FilterExpression);
                //where you would need to have something like (([createddate] >= '01/08/2017 00:00:00') AND ([createddate] <= '14/08/2017 23:59:59'))
		this.RadGrid1.DataSource = dv;
	}
}

Note that implementing such a change may break existing code that relies on the current syntax that contains the comma.