Need More Info
Last Updated: 12 Mar 2020 09:57 by ADMIN
Created on: 01 Aug 2013 10:23
Category: Grid
Type: Feature Request
Grid Group headers should be encoded by default
I have recenty found that if users include <html> tags in fields in a form, and this data is then displayed in a grid, if the user then groups by that column, raw html will be displayed. The "suggested" way around this potential huge security flaw is to use a group header template for every string column, ensuring the value is displayed encoded using ${value} instead of the default #=value#.

The default for a cell is ${value}
Angel Petrov
Posted on: 12 Mar 2020 09:57


Guys can you give us a sample scenario for this case? Actually the grid encodes the values by default and that is why the HTML is present. You can disable the encoding by setting the linked property to false and this will display the HTML accordingly. By providing us with an exemplary case we will research whether there is a security vulnerability.

Angel Petrov
Progress Telerik

Get quickly onboarded and successful with your Telerik and/or Kendo UI products with the Virtual Classroom free technical training, available to all active customers. Learn More.
Posted on: 01 Aug 2013 10:35
This is a clear security problem for web applications that could be storing unvalidated user input and then displaying that input within a kendo grid.