What is ClientState Input Hidden for?

7 posts, 0 answers
  1. Arie Taslim
    Arie Taslim avatar
    4 posts
    Member since:
    May 2010

    Posted 21 Mar 2011 Link to this post

    Hi,

    When I was browsing the DOM elements in the radWindow, I discovered a hidden textbox called ctl00_phMaster_radWindowTest_ClientState. My colleague received a report that at one point this hidden textbox (..._ClientState) had a value in it.

    I would like to know:
    - what is the role/function of the ClientState?
    - under what conditions do the ClientState get populated?
    - what values does the ClientState contain?

    I use the radWindow in a secure site and don't want ClientState exposing any sensitive information.

    Thank you,
    Arie


  2. Svetlina Anati
    Admin
    Svetlina Anati avatar
    2795 posts

    Posted 22 Mar 2011 Link to this post

    Hi Arie,

    Straight to your questions:

    1) The ClientState hidden filed is used to send information about changes done on the client to the server. It most often concerns layout configuration, e.g  if the width is change through the client-side set_width method and the control needs this information on the server, this is written in the hidden field. This field is rendered by the base class of RadControls and the RadWindow is particular does not actually use it but gets it rendered by the base class.

    2) The ClientState hidden field is used for certain functionality for certain controls - there are not exact universal rules - its role it send configuration information. E.g the RadWindow control is entirely created on the client, including its UI and thus it does not need to send client changes back to the server.

    3) The ClientState field contains some specific configuration settings - you can alert its value to see what it holds. E.g the RadPane control uses it and it holds information about minWidth, minHeight, locked, etc properties because they are need on the server to have the control working property.

    4) There are no security issues related to the ClientState field - it does not expose any additional information, different from the one which is already on the page. In addition, it most often contains some basic layout  configuration properties and if somebody can change those, he does not need to do it through the ClientState field because he will be able to directly do it without using this information.

    I hope that my explanation is detailed enough, let me know if you have additional questions.

    Best wishes,
    Svetlina
    the Telerik team
  3. UI for ASP.NET Ajax is Ready for VS 2017
  4. Arie Taslim
    Arie Taslim avatar
    4 posts
    Member since:
    May 2010

    Posted 22 Mar 2011 Link to this post

    Thanks for the detail information Svetlina. It is much appreciated!
    Arie
  5. Tigran
    Tigran avatar
    4 posts
    Member since:
    Jan 2011

    Posted 22 Sep 2011 Link to this post

    "4) There are no security issues related to the ClientState field "

    What about XSS attacks injecting some javascript into the ClientState hidden field?

    How to protect against that?

    AppScan found issues with this for the RadDateInput field.

    Thanks
  6. Marin Bratanov
    Admin
    Marin Bratanov avatar
    3599 posts

    Posted 27 Sep 2011 Link to this post

    Hello Tigran,

    As my colleague stated in the previous reply there are no known security issues with the ClientState field. Our code goes through several automated tools that test for security vulnerabilities and also has been tested by third party vendors. If you have found some issue it is possible that it in the latest version and we would appreciate if you could provide more information on the exact issue you are experiencing, but we are not aware of any risks as of now.


    All the best,
    Marin
    the Telerik team
    If you want to get updates on new releases, tips and tricks and sneak peeks at our product labs directly from the developers working on the RadControls for ASP.NET AJAX, subscribe to their blog feed now
  7. AMITA
    AMITA avatar
    2 posts
    Member since:
    Sep 2015

    Posted 10 Sep 2015 Link to this post

    Hi ,

    I'm seeing buffer overflow attack with ClientState hidden field on page...Any idea how can i prevent it? 

    they can temper hidden clientstate filed and post request 

    ctl00_ctl00_MainContent_MainContent_MyRequestGrid1_MyRequestCustomRadGrid_ClientState=AAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA​

  8. AMITA
    AMITA avatar
    2 posts
    Member since:
    Sep 2015

    Posted 10 Sep 2015 in reply to Marin Bratanov Link to this post

    Hi ,
    I'm seeing buffer overflow attack with ClientState hidden field on page...Any idea how can i prevent it? 
    they can temper hidden clientstate filed and post request 
    ctl00_ctl00_MainContent_MainContent_MyRequestGrid1_MyRequestCustomRadGrid_ClientState=AAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA​
Back to Top
UI for ASP.NET Ajax is Ready for VS 2017