Kendo Editor in a Grid Popup Editor

4 posts, 0 answers
  1. Travis
    Travis avatar
    2 posts
    Member since:
    May 2014

    Posted 06 Jul 2015 Link to this post

    In the Kendo Editor documentation it says the following:

    The editor value will be posted as a string and mapped to a variable with the name of the widget. Note that the posted value is HTML-encoded by default, in order to circumvent the ASP.NET request validation. In order to decode the value, use the HttpUtility.HtmlDecode method. (http://docs.telerik.com/kendo-ui/aspnet-mvc/helpers/editor/overview)

     This works fine when I place the editor in a normal view such as Edit.cshtml; however, when I use a Grid and provide a custom popup editor template, I cannot use a Kendo Editor without specifying [AllowHtml] on the model. Why is this?

  2. Alexander Popov
    Admin
    Alexander Popov avatar
    1416 posts

    Posted 08 Jul 2015 Link to this post

    Hi Travis,

    The AllowHtml is required because of the validation that happens during the Model binding. Allowing HTML should be done carefully and per-field as otherwise the application might become vulnerable to XSS attacks.

    Regards,
    Alexander Popov
    Telerik
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
  3. UI for ASP.NET MVC is VS 2017 Ready
  4. Travis
    Travis avatar
    2 posts
    Member since:
    May 2014

    Posted 08 Jul 2015 in reply to Alexander Popov Link to this post

    I understand why it is required in general. I asked why it's required when used in a Grid popup window but it's not required when using anywhere else. Look at your own documentation. Your documentation says you encode the content before sending to the server so that you don't have to add [AllowHtml]. I created a small proof of concept and I was able to add an editor to a page and post it to a controller action without adding [AllowHtml] to the model. I do the same exact thing as part of a popup editor in a grid and now I have to add [AllowHtml]. I'm just trying to understand why your code is inconsistent.

  5. Alexander Popov
    Admin
    Alexander Popov avatar
    1416 posts

    Posted 10 Jul 2015 Link to this post

    Hello again Travis,

    The encoded option determines whether or not the Editor's textarea is encoded, for example: 
    editor.options.encoded
    true
    editor.element.val()
    "Aniseed <strong>Syrup</strong>"

    editor.options.encoded
    false
    editor.element.val()
    "Aniseed <strong>Syrup</strong>"

    It does not affect the widget value though and the Grid's dataItem is actually updated with values containing HTML strings, which are considered unsafe.

    Regards,
    Alexander Popov
    Telerik
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
Back to Top
UI for ASP.NET MVC is VS 2017 Ready