Progress® Kendo UI® for jQuery Feedback Portal
Back to Feed
Request a Feature Report a Bug
Need More Info
Last Updated: 15 Dec 2021 11:40 by ADMIN
Mark
Created on: 13 Dec 2021 14:07
Category: Editor
Type: Bug Report
0
insert link

Hi Team,

We recently ran security scan on our web application which using "https://kendo.cdn.telerik.com/2020.2.513" Version.

and we encountered one scenario where Cross Site script executed even though we implemented encode and decode.

Scenari: User opens editor -> Clicks Insert Link Option.

We filled URL, Text inputs and for Tooltip fields we input Cross Site Script i.e (">">">"><script>alert(document.cookie);</script>)

and we clicked INSERT.

Basically the Tooltip field will break the anchor tag title parameter and script will execute.

Though we have implemented HTML encode and Decode we still experiencing this alert popup with cookie data while encode and Save and also Decode and Show.

 

OR
Please let us know.

How to restrict user to input only Alphanumeric Values into the fields "Text", and "ToolTip" when user clicks "Insert Link" option on Kendo tool Editor (CK Editor).

Attached Files:
1 comment
ADMIN
Dimitar
Posted on: 15 Dec 2021 11:40

Hi Mark,

Thank you for your feedback. We tried to reproduce the issue on our side with latest version - demo - and with 2020.2.513 - Dojo snippet - but the issue is not reproducible following the steps. Is it reproducible on your side with these links? Is there anything different in the steps to reproduce, which should be added? If the issue is not reproducible with the links, then it would be helpful if you provide a Dojo snippet URL for reproduction.

For future reference and to avoid threads duplication, I would like to link here the two forum threads related to this issue:

https://www.telerik.com/forums/cross-site-script-prevention-on-editor-createlink-pop-up

https://www.telerik.com/forums/restrict-user-to-input-alphanumeric-values-on-insert-link-pop-pop

I would like to mention here that as my colleague replied "even if the script is executed after inserting the link in the content area that still does not lead to a valid XSS attack" and it should be checked "if submitting or getting the content via the value method retrieves the script injections. Encoding happens when content is submitted or retrieved." The Editor's Prevent XSS article provides further details: https://docs.telerik.com/kendo-ui/controls/editors/editor/preventing-xss.

Regards,
Dimitar
Progress Telerik

Love the Telerik and Kendo UI products and believe more people should try them? Invite a fellow developer to become a Progress customer and each of you can get a $50 Amazon gift voucher.

Create an account Log In
View
Type
Status
Category