Declined
Last Updated: 10 Feb 2021 06:55 by ADMIN
Emma
Created on: 01 Aug 2013 10:23
Category: Grid
Type: Feature Request
10
Grid Group headers should be encoded by default
I have recenty found that if users include <html> tags in fields in a form, and this data is then displayed in a grid, if the user then groups by that column, raw html will be displayed. The "suggested" way around this potential huge security flaw is to use a group header template for every string column, ensuring the value is displayed encoded using ${value} instead of the default #=value#.

The default for a cell is ${value}
3 comments
ADMIN
Maria Ivanova
Posted on: 10 Feb 2021 06:55
Hi Anthony,

Due to a lack of provided details related to the implementation of the feature request we are closing the item as Declined.

Let us know if the feature request is still of interest to you and we can re-open it for further review.

 

Kind Regards,
Maria Veledinova
Progress Telerik

Virtual Classroom, the free self-paced technical training that gets you up to speed with Telerik and Kendo UI products quickly just got a fresh new look + new and improved content including a brand new Blazor course! Check it out at https://learn.telerik.com/.

ADMIN
Angel Petrov
Posted on: 12 Mar 2020 09:57

Hello,

Guys can you give us a sample scenario for this case? Actually the grid encodes the values by default and that is why the HTML is present. You can disable the encoding by setting the linked property to false and this will display the HTML accordingly. By providing us with an exemplary case we will research whether there is a security vulnerability.

Regards,
Angel Petrov
Progress Telerik

Get quickly onboarded and successful with your Telerik and/or Kendo UI products with the Virtual Classroom free technical training, available to all active customers. Learn More.
Anthony
Posted on: 01 Aug 2013 10:35
This is a clear security problem for web applications that could be storing unvalidated user input and then displaying that input within a kendo grid.