Last Updated: 11 Mar 2019 12:39 by ADMIN
Created by: Fernando
Comments: 1
Category: Templates
Type: Feature Request

Hi Telerik team.

There is a plan or intention to isolate the Template engine indo a separated file or something?

I like the Kendo UI Template engine a lot, I would use it isolated in a project without kendo, for example. It could even be a isolate npm module.I think it is better than mustache or handlebars imo, because you can deal with pure javascript inside, instead of predefined functions and stuff like that.

Example: https://jsfiddle.net/yfz6he3u/


Last Updated: 07 Feb 2020 21:29 by ADMIN
Created by: Imported User
Comments: 2
Category: Templates
Type: Feature Request
Add template for summary rows. There is a need to display some text on summary row.
Last Updated: 08 Apr 2020 13:53 by ADMIN
Created by: Wannes
Comments: 0
Category: Templates
Type: Feature Request
Concerning Cross Site Scripting (XSS), from the client-side perspective, data coming from any server cannot be trusted, even when it's one of your own servers (which may have been hacked).
While it is true that you need XSS protection on your server, it's certainly not a luxury to have additional protection on the client-side.

The kendo.template() function for example can be extended to filter out any unwanted <script> tags. The following code would do it:

var kendoTemplate = kendo.template;
kendo.template = function () {
    var templateFunction = kendoTemplate.apply(kendoTemplate, arguments);
    return function () {
        var htmlWithoutScripts = $.parseHTML(templateFunction.apply(templateFunction, arguments));
        return $("<div></div>").html(htmlWithoutScripts).html();

The jQuery.parseHTML() function will strip any <script> tags...
I'm not sure what the impact is for performance when there are too many repeated template calls on the same screen, but for normal use the overhead should be minimal.
Maybe this code can be run only for the HTML expressions in the template (#= expression#).

Could this kind of XSS protection be added to Kendo UI by default? Or at least be available as an option?

Best Regards,
Wannes Simons.