In my cshtml, I am rendering a template that will be used via javascript.
<script id="my-template" type="text/x-kendo-tmpl"> <select id="myType"> @foreach (var src in Model.MyTypes) { <option value="@Html.Raw(@src.Key)">@Html.Raw(@src.Value)</option> } </select></script>Note that I'm using @Html.Raw to output the value and text of the select items. This is necessary because we support several languages and without the @Html.Raw, the result is an invalid template.
If I keep the @Html.Raw, I'm exposing a potential hole for XSS because this data is supplied by the user.
How can I allow multiple locales and not expose an XSS vulnerability (without having to encode the data stored in the DB)?
Thanks,
--Ed
1 Answer, 1 is accepted
0
Hello Ed,
Html.Raw exposing a XSS vulnerability is a general MVC issue not related to a specific Telerik helper, thus we do not have methods or ways to affect this limitation.
We would suggest considering using other means of sanitizing the output HTML, for example the AntiXSS library:
Regards,
Ivan Danchev
Telerik by Progress
Html.Raw exposing a XSS vulnerability is a general MVC issue not related to a specific Telerik helper, thus we do not have methods or ways to affect this limitation.
We would suggest considering using other means of sanitizing the output HTML, for example the AntiXSS library:
Regards,
Ivan Danchev
Telerik by Progress
Do you want to have your say when we set our development plans?
Do you want to know when a feature you care about is added or when a bug fixed?
Explore the
Telerik Feedback Portal
and vote to affect the priority of the items