3 Answers, 1 is accepted
0
Hi Chris,
As far as we know the grid is not vulnerable to XSS attacks. Let me know if you find such vulnerability.
All the best,
Vlad
the Telerik team
Check out Telerik Trainer, the state of the art learning tool for Telerik products.
As far as we know the grid is not vulnerable to XSS attacks. Let me know if you find such vulnerability.
All the best,
Vlad
the Telerik team
Check out Telerik Trainer, the state of the art learning tool for Telerik products.
0
Rob T
Top achievements
Rank 1
Rank 1
answered on 09 Feb 2009, 07:04 PM
Vlad,
I have a similar request as Chris, I'd like to HtmlEncode the grid output. You state that you do not think that the radgrid is vulnerable to xss attacks, and after playing around a bit thats partially true. When I try to do some test inserts on your radgrid demo pages my attempts at adding <script>alert("foo")</script> tags fail. This is a good start, were halfway there.
Where I start to have problems is if I insert the same test script into my database record and then populate the radgrid. Unfortunatly the alert gets run. I think this is a problem.
Since my data is not always comming in via means I can control I need to make sure it's safely displayed. The capacity to display GridBoundColumns with some sort of HtmlEncoding could mitigate this issue.
I realize I can handle with a GridTemplateColumn, or in the OnBound event, but your controls are easy to use and I'd rather keep it that way.
Rob
0
Roatin Marth
Top achievements
Rank 1
Rank 1
answered on 09 Feb 2009, 09:32 PM
Good timing of this question. See a question I just asked related to an XSS vulnerability in the grid at http://www.telerik.com/community/forums/aspnet-ajax/grid/htmlencode-true-not-honoured-on-a-gridboundcolumn-when-using-clientside-data-binding.aspx