We recently ran security scan on our web application which using "https://kendo.cdn.telerik.com/2020.2.513" Version.
and we encountered one scenario where Cross Site script executed even though we implemented encode and decode.
Scenari: User opens editor -> Clicks Insert Link Option.
We filled URL, Text inputs and for Tooltip fields we input Cross Site Script i.e (">">">"><script>alert(document.cookie);</script>)
and we clicked INSERT.
Basically the Tooltip field will break the anchor tag title parameter and script will execute.
Though we have implemented HTML encode and Decode we still experiencing this alert popup with cookie data while encode and Save and also Decode and Show.
Please let us know.
How to restrict user to input only Alphanumeric Values into the fields "Text", and "ToolTip" when user clicks "Insert Link" option on Kendo tool Editor (CK Editor).