Concerning Cross Site Scripting (XSS), from the client-side perspective, data coming from any server cannot be trusted, even when it's one of your own servers (which may have been hacked).
While it is true that you need XSS protection on your server, it's certainly not a luxury to have additional protection on the client-side.

The kendo.template() function for example can be extended to filter out any unwanted <script> tags. The following code would do it:

<code>
var kendoTemplate = kendo.template;
kendo.template = function () {
    var templateFunction = kendoTemplate.apply(kendoTemplate, arguments);
    return function () {
        var htmlWithoutScripts = $.parseHTML(templateFunction.apply(templateFunction, arguments));
        return $("<div></div>").html(htmlWithoutScripts).html();
    }
};
</code>

The jQuery.parseHTML() function will strip any <script> tags...
I'm not sure what the impact is for performance when there are too many repeated template calls on the same screen, but for normal use the overhead should be minimal.
Maybe this code can be run only for the HTML expressions in the template (#= expression#).

Could this kind of XSS protection be added to Kendo UI by default? Or at least be available as an option?

Best Regards,
Wannes Simons.

Hi,

We're building a large JS app that uses jQuery templates. When the number of templates got out of hand, I moved it to another HTML page, and did a $.get("templates.html") and appended that to the DOM.

We load each template one by one. We wanted to do parallel loading using something similar to head.js

Maybe you guys can come up with a way of doing it neater. Maybe something like this:

kendo.templates.remote = ['templates1.html', 'templates2.html'];
kendo.ready(function(){ //kick ass! });

Kendo templates are broken if they contain any character, which is encoded to '{' since '#' is en expression delimiter for kendo templates. Documentation suggests to escape '#' with '\\#', but this makes the very basic syntax (example using ASP.NET MVC) look ridiculous: instead of writing @Localization.Get("aaa") I need to use @Html.Raw(Html.Kendo().TemplateEncode(Html.Encode(Localization.Get("aaa")))) for every localization string I have in kendo templates (since any string may contain unicode characters in some language).
If you had '##' or '$' as expression delimiter, simple @Localization.Get("aaa") would work in 99.9% of cases.
I suggest you:
1) Fix current template syntax parser to not treat HTML-encoded symbols as template delimiters.
2) For more reliability, create second template type 'text/x-kendo-template2' with delimiter being '##', '$' or whatever is found the least conflicting after proper analysis. Make it recommended for future and make 'text/x-kendo-template' obsolete.
3) Add TemplateEncode() method to Kendo MVC extensions.

When a grid has many columns, the column menu becomes difficult to use. This is because of two things: the columns are always in the order that they appear in the grid, and there is no support for templates/column grouping. The result is a long unordered list that is difficult for users to navigate quickly.

Suggested improvements:
1) Add option to sort columns in alphabetic order in the column menu.

2) Add option to group columns either by data type or user-defined groups.

Add template for summary rows. There is a need to display some text on summary row.

It would be nice to use your high performing template library with KnockoutJS

SVG paths are not rendering with kendo templates binding with MVVM view model. For reference: http://jsfiddle.net/qqzmZ/9/.

Known Issue:
In firefox, when we inspect svg element and edit that svg tag element 
(right click and select "Edit Svg") then the svg is rendering.

But in IE 10 and Safari, no path tags are found in svg tag.

Other browser except Chrome, require the elements to be created with the correct namespace. Since the template output is a string this typically involves a DOMParser.
The code works out to something like this:

var parser = new DOMParser();
var doc = parser.parseFromString(svgString, "text/xml");
var node = document.adoptNode(doc.documentElement);
// node can now be appended to the current document

Can this code be supported with kendo templates to render SVG tags.

Add Server-side rendering engines for templates.  I would love them in .Net first and then php and then Ruby.  Having server side is huge for SEO and with a rendering engine could basically take a huge chunk of server code out of the mix and just replace with templates.

If you edit a record in a grid it automatically validates against the validation rules defined in the schema.Model.  However if you use a custom editor template you have to manually add the html attributes such as required to each input field.  It would be nice to be able to use the same validation rules defined in the schema.Model for custom editor templates as well.

Thanks,
Dan

The template is not so friendly with document db such as MongoDB. Data in MongoDB are schema free, it means some data fields may be missing. It may lead to an error while rendering templates. jQuery's API can have a optional arg to provide default value, but I don't how to do it in Kendo.

If a Kendo-Grid is set with .Scrollable(true) the height of the grid get a style with "height:200px;". This seems to be unchangeable without edit the Kendo Source code. But in my opinion this is somehow needed. Of cource it could be changed later with some javascript code but why so intricate? It would be much more efficient to "change" the css i want on the fly.
E.g.
.ScrollableStyle(new { @class = "max-height:300px;" })

Add support for templating panelbar items (separate templates for first (header) and second (items) level). 

It would be nice if there was a tool that could validate if the template you are writing is valid or not, since the error message doesn't tell you where the error is.

It would be nice to be able to set the 'useWithBlock' setting to false globally so that I don't need to include that setting all the time when working with templates. I realize widgets use this and there is an undocumented way to do it - so, it would be great to have an official way to set this that is safe.

In the Grid component, the ClientDetailTemplate can be created within script tags and marked as text/kendo-tmpl, and then referenced via the ClientDetailTemplateId("...") option.

It would be great to be able to do the same with ClientRowTemplate also to save having to manually generate it in javascript using kendo.template(...).html().

For all the “items” controls that have a “Template” configuration property to define the items (for example: combobox, dropdownlist) the documentation tells me the template property can be a string or function.
If a function is used this function should return a string presentation of the Html you want to be rendered. 
I would like to have this template functionality enhanced so the function can also return an HtmlElement or HtmlFragment instead of a string. So the template function is fully responsible to construct the Html that will be inserted into the dom. Your template processing only has to check if the return type of the function is an instance of a HtmlElement or HtmlFragment an take the result of the function as it is. No further processing needed. 
Reasoning behind this feature request is:
In my development I try to move away from string based definition of Html as far as possible. Because this string based definition of Html and Htmltemplates is the weak part of a modern SPA architecture. No designtime checking of the content of these Html with its binding expressions is possible.
Therefore I developed a component to define my  HtmlElements or HtmlFragments in a strong typed way. This component has full support for designtime checking of properties and binding expressions. The result from my component however is an HtmlElement not a “String”. Now i have to work around this by serializing the HtmlEment to  a string. This not only is a waste of performance but also makes it impossible to attach event handler to the hmlElement or it children.

Hi, I have noticed your planned development of a listview widget, if the listview and templates are to be synonymous; it might be worth your while to look at the unobtrusive pure approach. http://beebole.com/pure/  

Because of some scenarios the "#" chars are restriced. So I want to use other char instead of.
May be we can set the openTag and closeTag instead of "#". For example, <% and %>, [% and %] etc. May be this is flexible.