XSS prevention

6 posts, 0 answers
  1. Bruce
    Bruce avatar
    5 posts
    Member since:
    Oct 2012

    Posted 25 Jun 2014 Link to this post

    I am using kendo binding and want to filter all user input and be able to escape for output.  Is there a value converter that has "from/to" type functionality?  So that when data comes "from" user it can be filtered and when data is going "to" user it can be escaped?  If there is no converter, can the binding be extended for this type of functionality?
    I am aware of #: # for HTML encoding to display values.  According to OWASP different encoding techniques are needed depending on the context (https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet).  What other encoding techniques are available for other bindings, ie attribute?


  2. Petyo
    Admin
    Petyo avatar
    2438 posts

    Posted 26 Jun 2014 Link to this post

    Hi Bruce,

    the #: # syntax you refer to is coming from the Kendo UI Templates. When it comes to Kendo UI MVVM, the values are manipulated through the DOM API (getAttribute/setAttribute or innerText), which means that the passed value is escaped by the browser itself. 

    Regards,
    Petyo
    Telerik
     
    Join us on our journey to create the world's most complete HTML 5 UI Framework - download Kendo UI now!
     
  3. Kendo UI is VS 2017 Ready
  4. Bruce
    Bruce avatar
    5 posts
    Member since:
    Oct 2012

    Posted 27 Jun 2014 in reply to Petyo Link to this post

    How does this work with Firefox?  I thought innerText was IE only.
  5. Petyo
    Admin
    Petyo avatar
    2438 posts

    Posted 28 Jun 2014 Link to this post

    Hi Bruce,

    a feature detection for the innerText is performed here.

    Regards,
    Petyo
    Telerik
     
    Join us on our journey to create the world's most complete HTML 5 UI Framework - download Kendo UI now!
     
  6. Bruce
    Bruce avatar
    5 posts
    Member since:
    Oct 2012

    Posted 30 Jun 2014 Link to this post

    How can I extend the binding to create my own data converter to filter data coming "from" user and escape it when going "to" user?
  7. Petyo
    Admin
    Petyo avatar
    2438 posts

    Posted 02 Jul 2014 Link to this post

    Hello Bruce,

    The easiest way to do that would be to take the code of one of our existing bindings and tweak its implementation. You may also check the respective help article for more details.

    Regards,
    Petyo
    Telerik
     
    Join us on our journey to create the world's most complete HTML 5 UI Framework - download Kendo UI now!
     
Back to Top
Kendo UI is VS 2017 Ready