Consistent script encoding when BindTo method is used compared to the MVC suite

Progress® Telerik® UI for ASP.NET Core Feedback Portal

Create an account Log In

Back to Feed

Request a Feature Report a Bug

Completed

Last Updated: 14 Sep 2020 08:09 by ADMIN

Release 2020.R3

Mateusz

Created on: 10 Jun 2020 12:23

Category: DropDownList

Type: Bug Report

Consistent script encoding when BindTo method is used compared to the MVC suite

If there is a text binding to the item that has a script tag injected, the Core component will break its initialization instead of encoding it as it is done for the Telerik UI for ASP.NET MVC DropDownList helper.

        @(Html.Kendo().DropDownList()
            .Name("DDL")
            .HtmlAttributes(new { style = "width:100%" })
            .OptionLabel("Select...")
            .DataTextField("text")
            .DataValueField("value")
            .Height(310)
            .BindTo(new List<object> {
                new { text = "Test", value = 0 },
                new { text = "<script>alert(123)</script>", value = 0 }
            })
        )

Result:

0 comments

Create an account Log In

View

Type

Status