Hi,
I'm using the Grid version 2019.3.1023 but changelog for newer version doesn't seem to show this has been fixed.
Using Html.Kendo().Grid().Columns(columns => colums.ForeignKey(x => x.ForeignCol, data, "value", "label"));
If data contains html, it will not be escaped when the javascript for the kendoGrid component is rendered, and thus is exposed to XSS.
This should be either fixed or documentation and samples must tell explicitly we need to html encoded the data, as this is not the case for the model itself.
Hello,
Indeed we will do our best to provide a sample that illustrates a possible realization. That way the entire community will benefit from it.
Regards,
Angel Petrov
Progress Telerik
Should you provide how to properly encode the value, it can be a solution. As mention earlier, Html.Encode convert the < > to html entities and the value is rendered as raw text, which means the user will read the htmlentities and not < >.
Having a complete working sample would be a great addition.
Hi,
We thoroughly discussed the described case and came to the conclusion that this should be handled by the developer. The grid helper functions by serializing a jQuery widget to the client. In cases like the described part of the serializaed values come from a database and we have no control over how data is stored. For better security it would be better to encode the values either before they get inserted to the database(thus keeping the DB clean) or before being serialized to the client. We will address this in our documentation as soon as possible.
Regards,
Angel Petrov
Progress Telerik
Hello Cortex,
Thank you for the additional information.
I have converted this thread to a bug report so that you can track its status in our Feedback Portal.
As a small token of gratitude I am updating your Telerik Points.
Let me know if you have any further questions.
Regards,
Martin
Progress Telerik
Yes, Browsers interpret the ending tag. And anything after as html. It's enough for an attacker to make XSS. I don't even bother trying to tackle a forged string, suitable to do that.
As you seem to think it's safe, here, the proof. Replace with </script><script>alert('I can make dirty thing here');</script><script>hide this dirty json
You will see a dialog box invoked from the injected javascript and the rest of the json is now hidden.
I can fix this by encoding the data in the datasource (either it is the datasource the component is BindTo'ed or the values for select list), but as you said, it is simply renderer as text and the user will see :
</script><script>alert('I can make dirty thing here');</script><script>hide this dirty json.
Having < > is legit and should be correctly encoded and decoded by the component itself.
Hello Cortex,
Thank you for the additional information.
The error from the screenshot is because the closing tag from the <script>alert()</script> is closing the open tag at the beginning of the html-source (please refer to the html-source.png). As demonstrated, HTML added to the column is rendered as text and not as HTML, meaning that there are no XSS possibilites.
Let me know what you think regarding the above.
Regards,
Martin
Progress Telerik
Thanks for getting back to me.
To reproduce the error, just replace the category (index.cshtml:12) name by <script>alert('xss');</script> (plain html).
This behavior is global with all server side binded value (BindTo with other components is also affected).
Hello Cortex,
Attached you will find a small project in which I tried to reproduce the reported behavior. You can see that the data in the ForeignKey column is encoded and is rendered as text and not as HTML. Could you please share if I am missing something to observe the problem? I would appreciate if you could modify the project accordingly to reproduce the issue.
Looking forward to your reply.
Regards,
Martin
Progress Telerik