Progress® Kendo UI® for jQuery Feedback Portal
Back to Feed
Request a Feature Report a Bug
Completed
Last Updated: 22 May 2020 15:07 by ADMIN
cortex
Created on: 26 Mar 2020 13:14
Category: Kendo UI for jQuery
Type: Bug Report
0
ForeignKey columns filter data are vulnerable to XSS

Hi,

I'm using the Grid version 2019.3.1023 but changelog for newer version doesn't seem to show this has been fixed.

 

Using Html.Kendo().Grid().Columns(columns => colums.ForeignKey(x => x.ForeignCol, data, "value", "label"));

 

If data contains html, it will not be escaped when the javascript for the kendoGrid component is rendered, and thus is exposed to XSS.

This should be either fixed or documentation and samples must tell explicitly we need to html encoded the data, as this is not the case for the model itself.

 

 

 

 

9 comments
ADMIN
Angel Petrov
Posted on: 22 May 2020 15:07

Hello,

Indeed we will do our best to provide a sample that illustrates a possible realization. That way the entire community will benefit from it.

Regards,
Angel Petrov
Progress Telerik

Progress is here for your business, like always. Read more about the measures we are taking to ensure business continuity and help fight the COVID-19 pandemic.
Our thoughts here at Progress are with those affected by the outbreak.
cortex
Posted on: 18 May 2020 11:26

Should you provide how to properly encode the value, it can be a solution. As mention earlier, Html.Encode convert the < > to html entities and the value is rendered as raw text, which means the user will read the htmlentities and not < >.

Having a complete working sample would be a great addition.

ADMIN
Angel Petrov
Posted on: 18 May 2020 08:54

Hi,

We thoroughly discussed the described case and came to the conclusion that this should be handled by the developer. The grid helper functions by serializing a jQuery widget to the client. In cases like the described part of the serializaed values come from a database and we have no control over how data is stored. For better security it would be better to encode the values either before they get inserted to the database(thus keeping the DB clean) or before being serialized to the client. We will address this in our documentation as soon as possible.

Regards,
Angel Petrov
Progress Telerik

Progress is here for your business, like always. Read more about the measures we are taking to ensure business continuity and help fight the COVID-19 pandemic.
Our thoughts here at Progress are with those affected by the outbreak.
ADMIN
Martin
Posted on: 08 Apr 2020 14:33

Hello Cortex,

Thank you for the additional information.

I have converted this thread to a bug report so that you can track its status in our Feedback Portal. 

As a small token of gratitude I am updating your Telerik Points.

Let me know if you have any further questions.

Regards,
Martin
Progress Telerik

Progress is here for your business, like always. Read more about the measures we are taking to ensure business continuity and help fight the COVID-19 pandemic.
Our thoughts here at Progress are with those affected by the outbreak.
cortex
Posted on: 03 Apr 2020 19:36

 

Yes, Browsers interpret the ending tag. And anything after as html. It's enough for an attacker to make XSS. I don't even bother trying to tackle a forged string, suitable to do that.

As you seem to think it's safe, here, the proof. Replace with </script><script>alert('I can make dirty thing here');</script><script>hide this dirty json

You will see a dialog box invoked from the injected javascript and the rest of the json is now hidden.

I can fix this by encoding the data in the datasource (either it is the datasource the component is BindTo'ed or the values for select list), but as you said, it is simply renderer as text and the user will see :

 &lt;/script&gt;&lt;script&gt;alert(&#x27;I can make dirty thing here&#x27;);&lt;/script&gt;&lt;script&gt;hide this dirty json.

 

Having < > is legit and should be correctly encoded and decoded by the component itself.

 

ADMIN
Martin
Posted on: 03 Apr 2020 14:01

Hello Cortex,

Thank you for the additional information.

The error from the screenshot is because the closing tag from the <script>alert()</script> is closing the open tag at the beginning of the html-source (please refer to the html-source.png). As demonstrated, HTML added to the column is rendered as text and not as HTML, meaning that there are no XSS possibilites.

Let me know what you think regarding the above.

Regards,
Martin
Progress Telerik

Progress is here for your business, like always. Read more about the measures we are taking to ensure business continuity and help fight the COVID-19 pandemic.
Our thoughts here at Progress are with those affected by the outbreak.
cortex
Posted on: 31 Mar 2020 20:51

Thanks for getting back to me.

To reproduce the error, just replace the category (index.cshtml:12) name by <script>alert('xss');</script>  (plain html).

This behavior is global with all server side binded value (BindTo with other components is also affected).

Attached Files:
ADMIN
Martin
Posted on: 31 Mar 2020 12:50

Hello Cortex,

Attached you will find a small project in which I tried to reproduce the reported behavior. You can see that the data in the ForeignKey column is encoded and is rendered as text and not as HTML. Could you please share if I am missing something to observe the problem? I would appreciate if you could modify the project accordingly to reproduce the issue.

Looking forward to your reply.

Regards,
Martin
Progress Telerik

Progress is here for your business, like always. Read more about the measures we are taking to ensure business continuity and help fight the COVID-19 pandemic.
Our thoughts here at Progress are with those affected by the outbreak.
Attached Files:
cortex
Posted on: 26 Mar 2020 13:38
Encoding the data make the generated javascript correct. But then, the text value is encoded before being displayed. Thus, the value displayed in the grid is encoded twice.
Create an account Log In
View
Type
Status
Category