Hello,

I was notified that one of the sites I developed is returning a vulnerability to cross site scripting.  I have already tried many ways to correct this issue with code and content security policy changes.  I still can't get rid of this vulnerability.  We are using Progress® Telerik® UI for ASP.NET AJAX runtime version: v4.0.30319 version: 2020.1.114.45.  Can I download the trail of asp.net ajax and try that version of the treeview and see if that corrects the issue?

Issue Detail

The value of the scrollPosition JSON parameter within the ctl00_ContentPlaceHolder1_VIndex2_tvIndex_ClientState parameter is copied into the HTML document as plain text between tags. The payload sbi7s<script>alert(1)</script>tx52l was submitted in the scrollPosition JSON parameter within the ctl00_ContentPlaceHolder1_VIndex2_tvIndex_ClientState parameter. This input was echoed unmodified in the application's response.

Request

older1_VIndex2_tvIndex_ClientState=%7b%22expandedNodes%22%3a[]%2c%22collapsedNodes%22%3a[]%2c%22logEntries%22%3a[]%2c%22selectedNodes%22%3a[]%2c%22checkedNodes%22%3a[]%2c%22scrollPosition%22%3a%220**sbi7s%3cscript%3ealert(1)%3c%5c%2fscript%3etx52l**%22%7d&ctl00_RadWindowManager1_ClientState=&__ASYNCPOST=true&ctl00%24ContentPlaceHolder1%24VIndex2%24btnAddCart=Add%20To%20Cart

Response

> HTTP/2 200 OK
> Cache-Control: no-cache 
> Pragma: no-cache 
> Content-Type: text/plain; charset=utf-8 
> Expires: -1 
> Server: Microsoft-IIS/10.0 
> X-Powered-By: ASP.NET 
> X-Frame-Options: SAMEORIGIN 
> X-Ua-Compatible: IE=edge,IE=11,IE=10,IE=9,IE=8,IE=7 
> Strict-Transport-Security: max-age=31536000 
> Date: Wed, 19 Mar 2025 16:26:27 GMT 
> Content-Length: 82 
> 68|error|500|0**sbi7s<script>alert(1)</script>tx52l** is not a valid value for Int32.|

What is the best way to pinpoint this issue?  How can I look at the scrollposition and how is that causing this issue?

How do I fix this so it isn't showing up on the scans?

Thank you

Greetings,

I'm currently trying to revamp one of my pages from server side binding to a web service binding and encountered a hickup.

The page is as follows (see picture attached):

The Outside is a RadSplitter.
On the left side of the RadSplitter is an update panel, where inside is the RadTreeView.
On the right side, also inside an update panel, is a RadGrid.

The RadTreeView gets a basic set of nodes ("stations") on creation, but everything after that is loaded on demand by webservice. If a "station" is expaned, and the webservice is triggered and supplies nodes to the radgrid. This works correctly.
If I click on a "station", a client side event is triggered, which expands the node (therefore triggering the webservice and supplying nodes) and also calling the RadGrid to rebind (by client side). The Rebind triggers the OnNeedDataSource event of the RadGrid, where it loads its data server side. 

The problem is with the click & expand, as the nodes are then only briefly visible in the RadTreeView and immediately removed again.

Is this a know problem? What can I do? I need the nodes in the tree but also the data in the RadGrid.
I made a video of the error, but it seems I cannot upload the video here. I also created a very basic test project.

I'm using Telerik 2023.1.117.45.

Thank you in advance!

Greetings,

I am currently working on an ASP.NET WebForms application, which uses a Telerik RadTreeView.

The treeview uses has the tri state checkboxes active and gets populated server side. We first create a tree of stations (around 2500), which can contain other stations. After that, we populate the tree with datapoints by iterating over all stations and adding the datapoints with the Node.Add() Method.

So the structure is as follows:

Station
- Station 1
- Station 2
   - Station 4
      - DataPoint
      - DataPoint
   - Station 5

The checkboxes are used to show if any datapoint is already selected in the treeview and to select additional datapoints for a grouping.
There are multiple groups which can be switched between to see a different selection in the tree.

Therefore, it is necessary to add every datapoint that was already selected (and saved) to show the tri-state checkboxes correctly on page load.
After that a load on demand is possible.

What I tried so far:

• Loading the stations and inserting the datapoints (20k objects) before adding the root node to the RadTreeView
  • Building the station tree is fast, but adding the root node to the RadTreeView Control takes about 600 seconds

• Loading the stations and inserting the datapoints (20k objects) after adding the root node to the RadTreeView

  • Building the station tree is fast, but addings the nodes the the RadTreeView Control takes a long time

• Loading the stations and adding the minimal amount of datapoints to display everything checked correctly with tri state checkboxes
  • Building the station tree is fast, but on every change of the grouping the tree will be walked completly to attach datapoints which were selected in the new grouping but where not present from the older groupings (or loaded on demand)

So my question is, is there a faster way to load about 20k objects into the tree, so on the change of grouping no new datapoints need to be loaded?

Or am I thinking this very wrong currently? Thank you in advance!

Hi,

I am updating a JQuery version  3.7.0 on our website. I have gotten many errors.

In RadDropDownTree there is option EnableFiltering.

Is there some listbox (checkbox enabled) that has same capabilities?

Or maybe a way to keep RadDropDownTree always opened?

Hello -

We are using Telerik forms for our internal website. When I download one page with all its components, it is 73 files and 11.2 MB total size. Screen captures attached.

• 10 axd files (4.4 MB)
  
• 8 css files (328 KB)
  
• 47 js files (2.7 MB)
  
• 7 image files (84 KB)
• 1 html file (3.7 MB)

Most of our site is made up of similar pages. Our site has an average 500 connections per second. During peak times, the website crawls, with 20-30 seconds to return one page for each user.

We are accessing only text, with about 200 KB of text returned for each request.

It looks like 99.3% of the size of our pages is Telerik related files (mostly axd and js).

What could we be doing wrong? What should we be doing differently to reduce the size or count of Telerik files returned to the client?

Thank you!

I'm using RadListBox as as RadTreeview in my page.

I'm binding data to RadTreeview with:

            List<SiteDataItem> siteData = GetNotificationTree();

            treeView.DataTextField = "Text";
            treeView.DataFieldID = "ID";
            treeView.DataFieldParentID = "ParentID";
            treeView.DataSource = siteData;
            treeView.DataBind();

Serverside I want to read the Value of the checked items. In Listbox that works with:

ListBox.CheckedItems.Select(_ => int.Parse(_.Value))

But in Treeview I'm not able to access the values e.g. with:

Treeview..CheckedNodes.Select(_ =>int.Parse(_.Value)). I'm only able to read the text property but not the value bound to the TreeView.

The page starts without the element on it, but through another action everything in the image below will show up on the page. Once the element is populated on the page, something isn't calculated correctly in terms of the dropdown list location - the yellow highlighted area just under the "Record Types" widget is where I expect the list to be. In particular, class rddtSlide top property is what is miscalculated. What calculates this position? And how can I get it to calculate properly once it shows up on the page?

Trying to use Lightweight mode but in current browsers it's now working properly and it's even unusable with RadTreeview.  I even tried to use your ThemeBuilder but the online sample gives bad results also.  Check the image from ThemeBuilder.

I'm using Windows 11, latest version of Edge.

Thank you