@Html.Raw vs. Escaping in Template in Razer file

2 posts, 0 answers
  1. Ed
    Ed avatar
    168 posts
    Member since:
    Sep 2013

    Posted 17 Oct Link to this post

    In my cshtml, I am rendering a template that will be used via javascript.

    <script id="my-template" type="text/x-kendo-tmpl">
        <select id="myType">
            @foreach (var src in Model.MyTypes)
            {
                <option value="@Html.Raw(@src.Key)">@Html.Raw(@src.Value)</option>
            }
        </select>
    </script>

    Note that I'm using @Html.Raw to output the value and text of the select items. This is necessary because we support several languages and without the @Html.Raw, the result is an invalid template.

    If I keep the @Html.Raw, I'm exposing a potential hole for XSS because this data is supplied by the user.

    How can I allow multiple locales and not expose an XSS vulnerability (without having to encode the data stored in the DB)?

    Thanks,

    --Ed

  2. Ivan Danchev
    Admin
    Ivan Danchev avatar
    834 posts

    Posted 19 Oct Link to this post

    Hello Ed,

    Html.Raw exposing a XSS vulnerability is a general MVC issue not related to a specific Telerik helper, thus we do not have methods or ways to affect this limitation.
    We would suggest considering using other means of sanitizing the output HTML, for example the AntiXSS library:
    Regards,
    Ivan Danchev
    Telerik by Progress
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
  3. Kendo UI is VS 2017 Ready
Back to Top