Need More Info
Last Updated: 02 Mar 2020 12:43 by ADMIN
Leo
Created on: 04 Apr 2017 15:46
Category: Editor
Type: Feature Request
2
Improve security and support for Editor widget inside Grid preventing need of [AllowHtml]
The current Grid / Editor combo don't work together, making it nearly impossible to use the Editor inside a Grid. It may be possible, but that requires [AllowHtml] atribute on the model, which is a security concern.
More details:
http://www.telerik.com/forums/kendo-editor-in-a-grid-popup-editor
1 comment
ADMIN
Ianko
Posted on: 02 Mar 2020 12:43

Hi Leo,

Generally, the idea of using Kendo Editor in such a scenario is to have the HTML saved to a database. There is security support regarding XSS and you can read more about that here:  https://docs.telerik.com/kendo-ui/controls/editors/editor/preventing-xss.

In order to avoid using the AllowHtml attribute you need to send encoded HTML, but when rendering it you will need to decode it back to HTML. However, this is possible by using a field that is bound to the encodedValue method of the Editor.

On our end, we could eventually add an option to control whether the value method to return encoded value or not. Currently, the value method returns the non-encoded value only. This would solve your case as the built-in editing utilizes only the value method of the widgets. Let me know if the latter would help you out so that I can approve the  feature request. 

Regards,
Ianko
Progress Telerik

Get quickly onboarded and successful with your Telerik and/or Kendo UI products with the Virtual Classroom free technical training, available to all active customers. Learn More.