Concerning Cross Site Scripting (XSS), from the client-side perspective, data coming from any server cannot be trusted, even when it's one of your own servers (which may have been hacked).
While it is true that you need XSS protection on your server, it's certainly not a luxury to have additional protection on the client-side.

The kendo.template() function for example can be extended to filter out any unwanted <script> tags. The following code would do it:

<code>
var kendoTemplate = kendo.template;
kendo.template = function () {
    var templateFunction = kendoTemplate.apply(kendoTemplate, arguments);
    return function () {
        var htmlWithoutScripts = $.parseHTML(templateFunction.apply(templateFunction, arguments));
        return $("<div></div>").html(htmlWithoutScripts).html();
    }
};
</code>

The jQuery.parseHTML() function will strip any <script> tags...
I'm not sure what the impact is for performance when there are too many repeated template calls on the same screen, but for normal use the overhead should be minimal.
Maybe this code can be run only for the HTML expressions in the template (#= expression#).

Could this kind of XSS protection be added to Kendo UI by default? Or at least be available as an option?

Best Regards,
Wannes Simons.

Kendo templates are broken if they contain any character, which is encoded to '{' since '#' is en expression delimiter for kendo templates. Documentation suggests to escape '#' with '\\#', but this makes the very basic syntax (example using ASP.NET MVC) look ridiculous: instead of writing @Localization.Get("aaa") I need to use @Html.Raw(Html.Kendo().TemplateEncode(Html.Encode(Localization.Get("aaa")))) for every localization string I have in kendo templates (since any string may contain unicode characters in some language).
If you had '##' or '$' as expression delimiter, simple @Localization.Get("aaa") would work in 99.9% of cases.
I suggest you:
1) Fix current template syntax parser to not treat HTML-encoded symbols as template delimiters.
2) For more reliability, create second template type 'text/x-kendo-template2' with delimiter being '##', '$' or whatever is found the least conflicting after proper analysis. Make it recommended for future and make 'text/x-kendo-template' obsolete.
3) Add TemplateEncode() method to Kendo MVC extensions.

Add template for summary rows. There is a need to display some text on summary row.

It would be nice if there was a tool that could validate if the template you are writing is valid or not, since the error message doesn't tell you where the error is.

In the Grid component, the ClientDetailTemplate can be created within script tags and marked as text/kendo-tmpl, and then referenced via the ClientDetailTemplateId("...") option.

It would be great to be able to do the same with ClientRowTemplate also to save having to manually generate it in javascript using kendo.template(...).html().

Hi Telerik team.

There is a plan or intention to isolate the Template engine indo a separated file or something?

I like the Kendo UI Template engine a lot, I would use it isolated in a project without kendo, for example. It could even be a isolate npm module.I think it is better than mustache or handlebars imo, because you can deal with pure javascript inside, instead of predefined functions and stuff like that.

Example: https://jsfiddle.net/yfz6he3u/

Cheers.