Under Review
Last Updated: 29 Sep 2020 12:46 by ADMIN
Created by: Dhiraj
Comments: 3
Category: UI for ASP.NET AJAX
Type: Bug Report
1

Greetings!

Description:

I have found a Cross-Site Scripting issue in the rich text editor, RadEditor. This is not in a body where user provides certain strings, rather it's in the text properties which gets sent along with the user input, such as font-style. The developers were able to follow the filtering mechanisms given in at https://docs.telerik.com/devtools/aspnet-ajax/controls/editor/managing-content/prevent-cross-site-scripting-(xss), but it provides protection for the inputs given in <textarea>, and for the properties values. Hence XSS is still possible

 

Steps for Reproduction:

 

1. Open up the text editor {{Screenshot 2020-09-23 at 12.08.51 PM.png}}

2. Input a string and change its font style.

3. Click on submit and intercept the request. {{Screenshot 2020-09-23 at 12.14.45 PM.png}}

4. Now we need to modify the request body for parameter of texteditor's ID. You may notice that the font-style is set and sent by using a <span>.

RadEditor1=%253cspan%20style%253d%2522font-family%253a%20%2527MS%20Sans%20Serif%2527%253b%2522%253etextexttext%253c%2Fspan%253e

Change parameter 'RadEditor1's value with the following:

RadEditor1=%253cspan%20onmouseover%253d%2522document.body.innerHTML%253d%2527ioioioioioioioioo%2527%252bdocument.cookie%2522%20style%253d%2522font-family%253a%20%2527MS%20Sans%20Serif%2527%253b%2522%253etextexttext%253c%2Fspan%253e

5. Submit and notice the 200 OK response. Now go to the text editor and notice that the string texttexttext can be seen. {{Screenshot 2020-09-23 at 12.24.18 PM.png}}

6. Put a mouse cursor on the string and notice that it gets changed to ioioioioioioioioo<domainCookies>.

 

##################

Please let me know if given information doesn't suffice the abilities for reproduction.

 

Thanks,

Dhiraj

Under Review
Last Updated: 02 Jan 2020 16:48 by ADMIN
RadCodeBLock and RadScriptBlock is not able to handle the server tags for all case scenarios, hence RadAjaxManager throws the exception mentioned in the title.
Under Review
Last Updated: 01 Jun 2018 09:06 by ADMIN
ADMIN
Created by: Peter Milchev
Comments: 0
Category: UI for ASP.NET AJAX
Type: Bug Report
1
https://www.telerik.com/support/kb/aspnet-ajax/details/cannot-scroll-telerik-control-in-ios-11.3---the-page-scrolls-instead
Under Review
Last Updated: 01 May 2018 15:22 by ADMIN
Created by: Patrik Johansson
Comments: 1
Category: UI for ASP.NET AJAX
Type: Bug Report
1
Hi,

Make configuration wizards work even on high resolution screens with scaling. See attached screen shot. 

Regards,
Patrik Johansson
Under Review
Last Updated: 09 Mar 2016 16:49 by ADMIN
Under Review
Last Updated: 03 Mar 2016 09:36 by ADMIN
ADMIN
Created by: Ivan Zhekov
Comments: 0
Category: UI for ASP.NET AJAX
Type: Bug Report
6
Based on customer feedback: fully collapsed groups in the ribbon bar have a smaller height, which leads to a broken layout, when only part of the ribbon groups are fully collapsed.
Under Review
Last Updated: 03 Mar 2016 09:34 by ADMIN
ADMIN
Created by: Ivan Zhekov
Comments: 0
Category: UI for ASP.NET AJAX
Type: Bug Report
6
Based on customer feedback: We just observed the problem that the width where the ribbon completely collapses does not match the width where the ribbon stops being completely collapsed.
Under Review
Last Updated: 03 Apr 2015 13:20 by ADMIN
For the time being the following CSS can be used:
CSS:
        <style>
            .RadPanelBar .rpGroup .rpLink, .RadPanelBar .rpGroup .rpTemplate .RadButton {
                line-height: normal;
            }
        </style
ASPX:
        <telerik:RadPanelBar ID="rpbOptions" runat="server" Width="200px" ExpandMode="SingleExpandedItem" AllowCollapseAllItems="true" Font-Bold="True">

            <Items>
                <telerik:RadPanelItem Text="Delivery Method" Font-Size="Small">
                    <Items>
                        <telerik:RadPanelItem Expanded="true">
                            <ContentTemplate>
                                <div id="div1">
                                    &nbsp;
                     <telerik:RadButton ToggleType="Radio" ButtonType="ToggleButton" ID="RadButton9" runat="server" GroupName="gDeliveyMethod" Checked="true" AutoPostBack="false" Text="Pickup" ForeColor="#295B8B"></telerik:RadButton>
                                    <br />
                                    &nbsp;
                      <telerik:RadButton ToggleType="Radio" ButtonType="ToggleButton" ID="RadButton10" runat="server" GroupName="gDeliveyMethod" AutoPostBack="false" Font-Size="X-Small" ForeColor="#295B8B" Text="Courier"></telerik:RadButton>
                                    </span><br />
                                    &nbsp;
                      <telerik:RadButton ToggleType="Radio" ButtonType="ToggleButton" ID="RadButton11" runat="server" GroupName="gDeliveyMethod" AutoPostBack="false" Font-Size="X-Small" ForeColor="#295B8B" Text="US Mail"></telerik:RadButton>
                                    <br />
                                </div>
                            </ContentTemplate>
                        </telerik:RadPanelItem>
                    </Items>
                </telerik:RadPanelItem>
            </Items>
        </telerik:RadPanelBar>
Under Review
Last Updated: 17 Mar 2015 12:32 by ADMIN