This is a migrated thread and some comments may be shown as answers.

@Html.Raw vs. Escaping in Template in Razer file

1 Answer 191 Views
Templates
This is a migrated thread and some comments may be shown as answers.
Ed
Top achievements
Rank 1
Ed asked on 17 Oct 2016, 06:39 PM

In my cshtml, I am rendering a template that will be used via javascript.

<script id="my-template" type="text/x-kendo-tmpl">
    <select id="myType">
        @foreach (var src in Model.MyTypes)
        {
            <option value="@Html.Raw(@src.Key)">@Html.Raw(@src.Value)</option>
        }
    </select>
</script>

Note that I'm using @Html.Raw to output the value and text of the select items. This is necessary because we support several languages and without the @Html.Raw, the result is an invalid template.

If I keep the @Html.Raw, I'm exposing a potential hole for XSS because this data is supplied by the user.

How can I allow multiple locales and not expose an XSS vulnerability (without having to encode the data stored in the DB)?

Thanks,

--Ed

1 Answer, 1 is accepted

Sort by
0
Ivan Danchev
Telerik team
answered on 19 Oct 2016, 12:11 PM
Hello Ed,

Html.Raw exposing a XSS vulnerability is a general MVC issue not related to a specific Telerik helper, thus we do not have methods or ways to affect this limitation.
We would suggest considering using other means of sanitizing the output HTML, for example the AntiXSS library:
Regards,
Ivan Danchev
Telerik by Progress
Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
Tags
Templates
Asked by
Ed
Top achievements
Rank 1
Answers by
Ivan Danchev
Telerik team
Share this question
or