Greetings!
Description:
I have found a Cross-Site Scripting issue in the rich text editor, RadEditor. This is not in a body where user provides certain strings, rather it's in the text properties which gets sent along with the user input, such as font-style. The developers were able to follow the filtering mechanisms given in at https://docs.telerik.com/devtools/aspnet-ajax/controls/editor/managing-content/prevent-cross-site-scripting-(xss), but it provides protection for the inputs given in <textarea>, and for the properties values. Hence XSS is still possible
Steps for Reproduction:
1. Open up the text editor {{Screenshot 2020-09-23 at 12.08.51 PM.png}}
2. Input a string and change its font style.
3. Click on submit and intercept the request. {{Screenshot 2020-09-23 at 12.14.45 PM.png}}
4. Now we need to modify the request body for parameter of texteditor's ID. You may notice that the font-style is set and sent by using a <span>.
RadEditor1=%253cspan%20style%253d%2522font-family%253a%20%2527MS%20Sans%20Serif%2527%253b%2522%253etextexttext%253c%2Fspan%253e
Change parameter 'RadEditor1's value with the following:
RadEditor1=%253cspan%20onmouseover%253d%2522document.body.innerHTML%253d%2527ioioioioioioioioo%2527%252bdocument.cookie%2522%20style%253d%2522font-family%253a%20%2527MS%20Sans%20Serif%2527%253b%2522%253etextexttext%253c%2Fspan%253e
5. Submit and notice the 200 OK response. Now go to the text editor and notice that the string texttexttext can be seen. {{Screenshot 2020-09-23 at 12.24.18 PM.png}}
6. Put a mouse cursor on the string and notice that it gets changed to ioioioioioioioioo<domainCookies>.
##################
Please let me know if given information doesn't suffice the abilities for reproduction.
Thanks,
Dhiraj
We used Telerik in our application. The network team reported a spam in it.
Using Telerik grid with SortExpression in telerik:GridTemplateColumn, has been reported as high priority network issue.
Issue name : Ajax request header manipulation (DOM-based)
Recorded the issue in below snippet of responce.
onclick="Telerik.Web.UI.Grid.Sort()"
Please let me know if you have any suggestions.!!!
Reproduction of the issue
RadGrid declaration
<telerik:RadButton runat="server" Text="PostBack" AutoPostBack="true"></telerik:RadButton>
<telerik:RadGrid runat="server" ID="RadGrid2">
<MasterTableView DataKeyNames="Column1" ClientDataKeyNames="Column1" CommandItemDisplay="Top">
<Columns>
<telerik:GridBoundColumn UniqueName="Col1" DataField="Column1" HeaderText="Col1"s></telerik:GridBoundColumn>
<telerik:GridBoundColumn UniqueName="Col2" DataField="Column2" HeaderText="Col2"></telerik:GridBoundColumn>
<telerik:GridBoundColumn UniqueName="Co13" DataField="Column3" HeaderText="Co13"></telerik:GridBoundColumn>
<telerik:GridBoundColumn UniqueName="Col4" DataField="Column4" HeaderText="Col4"></telerik:GridBoundColumn>
</Columns>
</MasterTableView>
<ClientSettings ReorderColumnsOnClient="false" AllowColumnsReorder="true">
<DataBinding Location="~/Api/RevCodeGrid" SelectMethod="GetDataAndCount2" >
</DataBinding>
</ClientSettings>
</telerik:RadGrid>
RevCodeGridController
public class Test
{
public String Column1 { get; set; }
public String Column2 { get; set; }
public String Column3 { get; set; }
public String Column4 { get; set; }
}
[HttpPost]
public virtual RadGridResultData GetDataAndCount2(object context)
{
List<Test> items = new List<Test>();
items.Add(new Test() { Column1 = "1", Column2 = "A", Column3 = "A1", Column4 = "A12" });
items.Add(new Test() { Column1 = "2", Column2 = "B", Column3 = "B1", Column4 = "B12" });
items.Add(new Test() { Column1 = "3", Column2 = "C", Column3 = "C1", Column4 = "C12" });
items.Add(new Test() { Column1 = "4", Column2 = "D", Column3 = "D1", Column4 = "D12" });
return new RadGridResultData { Data = items, Count = items.Count };
}
Current style
.k-reset {
margin: 0;
padding: 0;
border: 0;
background: none;
list-style: none; }
What it should be:
.k-reset {
margin: 0;
padding: 0;
border-width: 0;
outline: 0;
text-decoration: none;
font: inherit;
list-style: none
}
1) There is no element with the id or name as the value of the aria-controls attribute of the dateinput button with enabled ARIA support.
2) The aria-valuemin and aria-valuemax attribute are not valid on role=textbox
To fix these, the following workarounds can be used
Option 1: OnClientLoad event of the DateInput element inside the DatePicker
function DatePickerOnClientLoad(sender) {
setTimeout(function () {
$telerik.$(sender.get_element()).parent().find("[role=button][aria-controls]").removeAttr("aria-controls");
$telerik.$(sender.get_element()).removeAttr("aria-valuemin").removeAttr("aria-valuemax")
})
}
Option 2: using Sys.Application.Load event
function pageLoadHandler() {
$telerik.$("[role=button][aria-controls]");
$telerik.$("[role=textbox]").removeAttr("aria-valuemin").removeAttr("aria-valuemax");
// Sys.Application.remove_load(pageLoadHandler);
}
Sys.Application.add_load(pageLoadHandler);
When track changes disabled the backspace is OK: - User typed two lines (1) & (2) - At the beginning of the line (2) user presses the backspace key, it successfully appended the line (2) with line (1) (where there was a space available). When track changes enabled the backspace does not work as expected: - User typed two lines (1) & (2) - At the beginning of the line (2) user presses the backspace key, it removes the end of the character in line (1).
Hello,
I have noticed the changes in your website, demos and documentation, but not all seems to work well on IE 11.
In the new interface of
the left menu dissapear after more clicks (IE11)
However, in ASP.net AJAX demos, the new interface is not looking good on IE 11
For example, https://demos.telerik.com/aspnet-ajax/orgchart/examples/expandcollapse/defaultcs.aspx
The old interface was looking great, I had no problems at all, any control
I hope I will not have the same problems in my ASP.net application...
The issue is replicated when the spreadsheet is higher than the screen height. To reproduce it, scroll the page and click the last visible cell.
Result: The page is scrolled to the beginning of the Spreadsheet element
Expected: The page is not scrolled
<telerik:RadSpreadsheet runat="server" ID="RadSpreadsheet1" Height="2000px" Width="100%">
</telerik:RadSpreadsheet>
We have code for our ajaxified submit forms to disable the submit button on request start and re-enabled it on request end. This used to work, but when we upgraded to the latest build (2020.2.617), setting the disabled property to false now throws an error in IE from the WebResource.axd file (does not appear to have a problem in Firefox). The attached demo project shows exactly where the error occurs. Just click the Search button.
Attached picture shows an example of the error message thrown. The error does not appear to be with our javascript code itself; all the variables are populated and valid. It looks like something is getting triggered in the WebResource code when we set the disabled property to false and that is where the break is occurring.
This can be achieved if the role=menubar is set to the <ul> element containing the <li> menu items instead of the wrapper <div> element.
In this example from the WAI-ARIA Practices site, JAWS announces "1 of 3", "2 of 3", and "3 of 3" as the top-level menus are navigated.
https://www.w3.org/TR/wai-aria-practices/examples/menubar/menubar-1/menubar-1.html
Workaround from Admin:
<script>
function OnClientLoad(sender, args) {
$telerik.$(sender.get_element()).removeAttr("role").find(">").attr("role", "menubar")
}
</script>
<telerik:RadMenu runat="server" ID="RadMenu1" EnableAriaSupport="true" RenderMode="Lightweight" OnClientLoad="OnClientLoad" TabIndex="1">
Accessibility Insights is reporting invalid markup on all tabs in the TabList.
When consulting the online aria specifications I see that elements with role="tablist" support aria-level="#" where number is > 0. (https://www.w3.org/TR/wai-aria-1.2/#tablist) However, elements with role="tab" do not. (https://www.w3.org/TR/wai-aria-1.2/#tab)
If possible, we would like to see the aria-level tag moved to the correct page elements in the next release. (Thanks for correcting the aria-level="0" problem previously.)
I believe this may be the compliance issue Sunil was reporting previously here: https://feedback.telerik.com/aspnet-ajax/1413112-this-ul-should-only-contain-li-elements-without-an-aria-assigned-role.