Unplanned
Last Updated: 08 Apr 2020 13:53 by ADMIN
Created by: Wannes
Comments: 0
Category: Templates
Type: Feature Request
36
Concerning Cross Site Scripting (XSS), from the client-side perspective, data coming from any server cannot be trusted, even when it's one of your own servers (which may have been hacked).
While it is true that you need XSS protection on your server, it's certainly not a luxury to have additional protection on the client-side.

The kendo.template() function for example can be extended to filter out any unwanted <script> tags. The following code would do it:

<code>
var kendoTemplate = kendo.template;
kendo.template = function () {
    var templateFunction = kendoTemplate.apply(kendoTemplate, arguments);
    return function () {
        var htmlWithoutScripts = $.parseHTML(templateFunction.apply(templateFunction, arguments));
        return $("<div></div>").html(htmlWithoutScripts).html();
    }
};
</code>

The jQuery.parseHTML() function will strip any <script> tags...
I'm not sure what the impact is for performance when there are too many repeated template calls on the same screen, but for normal use the overhead should be minimal.
Maybe this code can be run only for the HTML expressions in the template (#= expression#).

Could this kind of XSS protection be added to Kendo UI by default? Or at least be available as an option?

Best Regards,
Wannes Simons.
Unplanned
Last Updated: 01 Jul 2021 11:13 by ADMIN
Kendo templates are broken if they contain any character, which is encoded to '&#123;' since '#' is en expression delimiter for kendo templates. Documentation suggests to escape '#' with '\\#', but this makes the very basic syntax (example using ASP.NET MVC) look ridiculous: instead of writing @Localization.Get("aaa") I need to use @Html.Raw(Html.Kendo().TemplateEncode(Html.Encode(Localization.Get("aaa")))) for every localization string I have in kendo templates (since any string may contain unicode characters in some language).
If you had '##' or '$' as expression delimiter, simple @Localization.Get("aaa") would work in 99.9% of cases.
I suggest you:
1) Fix current template syntax parser to not treat HTML-encoded symbols as template delimiters.
2) For more reliability, create second template type 'text/x-kendo-template2' with delimiter being '##', '$' or whatever is found the least conflicting after proper analysis. Make it recommended for future and make 'text/x-kendo-template' obsolete.
3) Add TemplateEncode() method to Kendo MVC extensions.
Unplanned
Last Updated: 07 Feb 2020 21:29 by ADMIN
Created by: Imported User
Comments: 2
Category: Templates
Type: Feature Request
15
Add template for summary rows. There is a need to display some text on summary row.
Unplanned
Last Updated: 14 Oct 2021 11:33 by ADMIN
Created by: Imported User
Comments: 1
Category: Templates
Type: Feature Request
4
It would be nice if there was a tool that could validate if the template you are writing is valid or not, since the error message doesn't tell you where the error is.
Unplanned
Last Updated: 16 Nov 2021 15:46 by ADMIN
In the Grid component, the ClientDetailTemplate can be created within script tags and marked as text/kendo-tmpl, and then referenced via the ClientDetailTemplateId("...") option.

It would be great to be able to do the same with ClientRowTemplate also to save having to manually generate it in javascript using kendo.template(...).html().
Unplanned
Last Updated: 11 Mar 2019 12:39 by ADMIN
Created by: Fernando
Comments: 1
Category: Templates
Type: Feature Request
0

Hi Telerik team.

There is a plan or intention to isolate the Template engine indo a separated file or something?

I like the Kendo UI Template engine a lot, I would use it isolated in a project without kendo, for example. It could even be a isolate npm module.I think it is better than mustache or handlebars imo, because you can deal with pure javascript inside, instead of predefined functions and stuff like that.

Example: https://jsfiddle.net/yfz6he3u/

Cheers.