Html encoding problems

10 posts, 0 answers
  1. Andreas
    Andreas avatar
    137 posts
    Member since:
    May 2008

    Posted 17 Oct 2013 Link to this post

    Hi,

    What is the deal with html encoding in RadDropDownList?
    Can't make it work correctly...

    I suppose that we should html encode the text property of the items?
    But even if doing so, there will problems when selecting items...

    See the following sample:
    <%@ Page Language="vb" AutoEventWireup="false" CodeBehind="dropdownlist.aspx.vb" Inherits="TestaTredjepartWeb.dropdownlist" %>
     
    <!DOCTYPE html>
     
    <head runat="server">
        <title></title>
    </head>
    <body>
        <form id="form1" runat="server">
            <asp:ScriptManager ID="s" runat="server">
            </asp:ScriptManager>
            <div>
                <telerik:RadDropDownList ID="ddl" runat="server">
                </telerik:RadDropDownList>
            </div>
        </form>
    </body>
    </html>

    Code behind:
    Public Class dropdownlist
        Inherits System.Web.UI.Page
     
        Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
            ddl.Items.Add(New Telerik.Web.UI.DropDownListItem(HttpUtility.HtmlEncode("<script>alert('hello1');</script>"), "1"))
            ddl.Items.Add(New Telerik.Web.UI.DropDownListItem(HttpUtility.HtmlEncode("<script>alert('hello2');</script>"), "2"))
        End Sub
     
    End Class

    When selecting item 2 in the dropdown the alert will display (hello2) and the text in the dropdown will be empty.
    Is there any workaround for this?

    Regards
    Andreas
  2. Dimitar Terziev
    Admin
    Dimitar Terziev avatar
    1266 posts

    Posted 22 Oct 2013 Link to this post

    Hello Andreas,

    The experienced behavior is caused by a bug with the RadDropDownList, where the text content is evaluated once set in the "input " part of the control. The issue is already log for fixing, as a token of gratitude for this bug report your Telerik points are updated. As a temporary solution until the issue is fixed you could place the following script on the page where the RadDropDownList resides:
    Telerik.Web.UI.RadDropDownList.prototype._updateTextElement = function(value) {
                    var $element = $telerik.$(this.get_textElement());
                    if (value) {
                        $element.text(value);
                        $element.removeClass("rddlDefaultMessage");
                    }
                    else {
                        $element.html(this.get_defaultMessage());
                        $element.addClass("rddlDefaultMessage");
                    }
                 
                    this.get_element().value = value;
                }


    Regards,
    Dimitar Terziev
    Telerik
    If you want to get updates on new releases, tips and tricks and sneak peeks at our product labs directly from the developers working on the RadControls for ASP.NET AJAX, subscribe to the blog feed now.
  3. UI for ASP.NET Ajax is Ready for VS 2017
  4. Andreas
    Andreas avatar
    137 posts
    Member since:
    May 2008

    Posted 31 Oct 2013 Link to this post

    Well, it almost works...

    If setting the dropdown to autopostback and selecting the same item that was already selected, the text gets encoded twice.
    Sample:
    <%@ Page Language="vb" AutoEventWireup="false" CodeBehind="dropdownlist.aspx.vb" Inherits="TestaTredjepartWeb.dropdownlist" %>
     
    <!DOCTYPE html>
     
    <head runat="server">
        <title></title>
    </head>
    <body>
        <form id="form1" runat="server">
            <asp:ScriptManager ID="s" runat="server">
            </asp:ScriptManager>
            <div>
                <telerik:RadDropDownList ID="ddl" runat="server" AutoPostBack="true">
                </telerik:RadDropDownList>
            </div>
            <script type="text/javascript">
                Telerik.Web.UI.RadDropDownList.prototype._updateTextElement = function (value)
                {
                    var $element = $telerik.$(this.get_textElement());
                    if (value)
                    {
                        $element.text(value);
                        $element.removeClass("rddlDefaultMessage");
                    }
                    else
                    {
                        $element.html(this.get_defaultMessage());
                        $element.addClass("rddlDefaultMessage");
                    }
     
                    this.get_element().value = value;
                }
     
            </script>
        </form>
    </body>
    </html>
    Public Class dropdownlist
        Inherits System.Web.UI.Page
     
        Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
            If Not Me.IsPostBack Then
                ddl.Items.Add(New Telerik.Web.UI.DropDownListItem(HttpUtility.HtmlEncode("<script>alert('hello1');</script>"), "1"))
                ddl.Items.Add(New Telerik.Web.UI.DropDownListItem(HttpUtility.HtmlEncode("<script>alert('hello2');</script>"), "2"))
            End If
        End Sub
     
    End Class

    In this sample, when clicking the first item (that is already selected), the text gets encoded twice!

    Any workaround for this also?

    Regards
    Andreas
  5. Dimitar Terziev
    Admin
    Dimitar Terziev avatar
    1266 posts

    Posted 05 Nov 2013 Link to this post

    Hi Andreas,

    The official fix shall be included in the upcoming service pack.

    Regards,
    Dimitar Terziev
    Telerik
    If you want to get updates on new releases, tips and tricks and sneak peeks at our product labs directly from the developers working on the RadControls for ASP.NET AJAX, subscribe to the blog feed now.
  6. ksuh
    ksuh avatar
    44 posts
    Member since:
    Jul 2006

    Posted 15 Nov 2013 Link to this post

    This still doesn't work properly.  This is using the latest service pack.

    Make a dropdownlist with an item whose text has html tags in it.  The html will be rendered and not escaped.  This is rather problematic for obvious reasons.

  7. Dimitar Terziev
    Admin
    Dimitar Terziev avatar
    1266 posts

    Posted 18 Nov 2013 Link to this post

    Hello,

    By default the text of the DropDownItems is not encoded and this should be done manually. The fix included in the service pack addresses the issue that even encoded, the text content is evaluated when set to the "input".

    @Andreas
    The problem with the double encoding was not yet fixed, since the fix could introduce a breaking change. I shall try to provide an override which addresses this problem.

    Regards,
    Dimitar Terziev
    Telerik
    If you want to get updates on new releases, tips and tricks and sneak peeks at our product labs directly from the developers working on the RadControls for ASP.NET AJAX, subscribe to the blog feed now.
  8. ksuh
    ksuh avatar
    44 posts
    Member since:
    Jul 2006

    Posted 19 Nov 2013 Link to this post

    Doesn't matter if it's encoded - the html is rendered.

    <telerik:RadDropDownList AutoPostBack="true" runat="server">
      <Items>
        <telerik:DropDownListItem Text="1" />
        <telerik:DropDownListItem Text="2" />
        <telerik:DropDownListItem Text="3" />
        <telerik:DropDownListItem Text="4" />
        <telerik:DropDownListItem Text="&lt;b&gt;test&lt;/b&gt;" Selected="true" />
      </Items>
    </telerik:RadDropDownList>
  9. Dimitar Terziev
    Admin
    Dimitar Terziev avatar
    1266 posts

    Posted 22 Nov 2013 Link to this post

    Hi,

    Attached is a sample page showing how to overcome the problem with the text encoding as well as the problem with the double encoding when the already selected item is selected again.

    Regards,
    Dimitar Terziev
    Telerik
    If you want to get updates on new releases, tips and tricks and sneak peeks at our product labs directly from the developers working on the RadControls for ASP.NET AJAX, subscribe to the blog feed now.
  10. Andreas
    Andreas avatar
    137 posts
    Member since:
    May 2008

    Posted 25 Nov 2013 Link to this post

    Hi,

    Your example is working, but not my example...
    It seems like the "<"-char is working, but in my case we also have "'"-char and that still gets encoded twice (becomes &#39;)...
    Also problem with other more normal chars when using other than english, swedish ö gets encoded twice for example (becomes &#246;), this was actually our real problem that our end-users are experiencing!!!

    Regards
    Andreas
  11. Dimitar Terziev
    Admin
    Dimitar Terziev avatar
    1266 posts

    Posted 26 Nov 2013 Link to this post

    Hi Andreas,

    In order to help you resolve the experienced issue, please open a support ticket and provide a sample project so we could inspect it locally.

    Regards,
    Dimitar Terziev
    Telerik
    If you want to get updates on new releases, tips and tricks and sneak peeks at our product labs directly from the developers working on the RadControls for ASP.NET AJAX, subscribe to the blog feed now.
Back to Top
UI for ASP.NET Ajax is Ready for VS 2017