Rendering Html texts in header and content (custom dialog content/html/components)
This feature request would be used to monitor the requests for a full-fledged Dialog component. It will be defined in the Markup and will provide options to customize the Header and Content and will expose Action buttons.
Posted on:27 Jun 2021 10:24
Thank you for your input. How would you want this feature exposed in the component API?
I am asking because this is, in fact, a serious security risk, and at this point I cannot commit to how that would be possible (right now I am personally leaning more towards exposing a component type and a dictionary of parameters so that the Telerik Dialog will render your own component that will decide how to present data).
Personally, I would be wary of changing the default framework behavior (the framework encodes HTML for rendering, not us), and using a MarkupString behind a flag seems like a risky solution to me that can open up the door to XSS attacks.
Just to add to this as it seems Marin has asked for more information.
I believe this has been raised as originally the author wanted to add line breaks. I'm here for exactly the same reason, the dialog window renders <br/> instead of adding a line break. I understand this is to prevent attacks but .... having to create a window just to add a line break to a message is overkill to say the least.
I was hoping to use the Telerik dialog throughout a large application but this prevents it. Can this feature request be escalated? It is so close... HtmlEncode would do it and then leave it up to the developer to worry about the data being presented?
That said, could you provide some more details on how you would expect that to be exposed for configuration?
Marin Bratanov Progress Telerik
Virtual Classroom, the free self-paced technical training that gets you up to speed with Telerik and Kendo UI products quickly just got a fresh new look + new and improved content including a brand new Blazor course! Check it out at https://learn.telerik.com/.