This is a migrated thread and some comments may be shown as answers.
Can the Rad Editor Viewstate be Encrypted ?
6 Answers 23 Views
This is a migrated thread and some comments may be shown as answers.
Gwen
Top achievements
Rank 1
Gwen asked on 27 Apr 2020, 10:03 PM

The viewstate or application's pages are already encrypted but looking at the Burp output of the response from a POST to the Telerik.UI.DialogHandler (ImageMananger) it seems the Telerik view state in the response appears not to be.

We've generated and specified the DialogParametersEncryptionKey, ConfigurationEncryptionKey, and ConfigurationHashKey keys in the site level web.config as described in article https://docs.telerik.com/devtools/aspnet-ajax/controls/editor/functionality/dialogs/security. This didn't change the viewstate.
The machine key in IIS is set for auto-generation.
I'm only assuming the Telerik viewstate can be encrypted because what I've read seems to imply that, but I haven't found a clear example so I'm not sure.

6 Answers, 1 is accepted

Sort by
0
Rumen
Telerik team
answered on 28 Apr 2020, 01:14 PM

Hi Gwen,

Yesterday, I converted your forum thread to a General Feedback ticket due to that I requested more info for your project.

I am pasting my answer here, but let's continue the discussion there:

Thank you for reporting this problem!

I converted the forum to a private ticket since its resolution might require information for your project.

Can you please perform two steps and report the result:

  • test with the latest version 2020.1.219 (R1 2020 SP1) - for your convenience I have attached the trial assembly of the latest release.
  • set this attribute in the web.config file, save it and retest:

    <appSettings>
      <add key="Telerik.ScriptManager.EnableHandlerEncryption" value="true"/>
      ...
    <appSettings>

 

If the problem still persists, please provide the web.config of your project plus a link or the name of the tool you use to inspect and decode the ViewState

 

Regards,
Rumen
Progress Telerik

Progress is here for your business, like always. Read more about the measures we are taking to ensure business continuity and help fight the COVID-19 pandemic.
Our thoughts here at Progress are with those affected by the outbreak.
0
Dhaval
Top achievements
Rank 2
answered on 23 Mar 2021, 07:45 AM

Hello Rumen,

We are using burp suite tool and that shows the view state for radeditor when we try to insert the image.

I have also added EnableHandlerEncryption in web.config and still we are getting same issue.

Telerik assembly version that we are using is : 2020.1.114.45

Let me know if you need more information, I can share them with you.

0
Rumen
Telerik team
answered on 23 Mar 2021, 09:44 AM

Hi Dhaval,

Can you please record and provide a short video demonstrating the RadEditor configuration, the web.config file and how do you replicate the viewstate scenario in Burp? This will help me to recreate the scenario.

Thank you!

 

Regards,
Rumen
Progress Telerik

Virtual Classroom, the free self-paced technical training that gets you up to speed with Telerik and Kendo UI products quickly just got a fresh new look + new and improved content including a brand new Blazor course! Check it out at https://learn.telerik.com/.

0
Dhaval
Top achievements
Rank 2
answered on 23 Mar 2021, 12:41 PM

Hello Rumen,

Thanks you for quick response.

I do not see any option to attach video here, so I am attaching the screenshots.

ImageEditor_1: In RadEditor I have clicked on imager manager and selected the image (I have only selected the image in radeditor).

BurpSuite_1: After following above step, I checked the logs in burp suite and found that view state is not encrypted.

I have added below line in appsettings of web.config:

<add key="Telerik.ScriptManager.EnableHandlerEncryption" value="true"/>

 

I have added code snippet for rad editor below:

<telerik:RadEditor CssClass="NewsEditor" RenderMode="Lightweight" runat="server" ID="NewsEditor" Enabled="False" AutoResizeHeight="True" EnableEmbeddedSkins="True" Skin="Silk" DialogsCssFile="~/Content/TelerikEditorDialog.css">
    <CssFiles>
        <telerik:EditorCssFile Value="" />
    </CssFiles>
    <Tools>
        <telerik:EditorToolGroup Tag="FormatToolbar">
            <telerik:EditorTool Name="ApplyClass" />
            <telerik:EditorTool Name="StyleBuilder" />
            <telerik:EditorSeparator />
            <telerik:EditorTool Name="FontName"/>
            <telerik:EditorTool Name="FontSize"/>
            <telerik:EditorTool Name="RealFontSize"/>
            <telerik:EditorSeparator />
            <telerik:EditorTool Name="Bold" />
            <telerik:EditorTool Name="Italic" />
            <telerik:EditorTool Name="Underline" />
            <telerik:EditorTool Name="StrikeThrough" />
            <telerik:EditorTool Name="ForeColor" />
            <telerik:EditorTool Name="BackColor"/>
            <telerik:EditorSeparator />
            <telerik:EditorTool Name="JustifyLeft" />
            <telerik:EditorTool Name="JustifyCenter" />
            <telerik:EditorTool Name="JustifyRight" />
            <telerik:EditorTool Name="JustifyFull" />
            <telerik:EditorTool Name="JustifyNone" />
            <telerik:EditorSeparator />
            <telerik:EditorTool Name="Indent" />
            <telerik:EditorTool Name="Outdent" />
            <telerik:EditorTool Name="InsertOrderedList" />
            <telerik:EditorTool Name="InsertUnorderedList"/>
            <telerik:EditorSeparator />
            <telerik:EditorTool Name="ConvertToLower" />
            <telerik:EditorTool Name="ConvertToUpper" />
            <telerik:EditorTool Name="Superscript" />
            <telerik:EditorTool Name="Subscript" />
        </telerik:EditorToolGroup>
        <telerik:EditorToolGroup Tag="MainToolbar">
            <telerik:EditorTool Name="Undo" />
            <telerik:EditorTool Name="Redo" />
            <telerik:EditorSeparator />
            <telerik:EditorTool Name="FindAndReplace" />
            <telerik:EditorTool Name="SelectAll" />
            <telerik:EditorSeparator />
            <telerik:EditorTool Name="Cut" />
            <telerik:EditorTool Name="Copy" />
            <telerik:EditorTool Name="Paste" shortcut="CTRL+!"/>
            <telerik:EditorTool Name="PastePlainText" />
            <telerik:EditorTool Name="FormatPainter" />
            <telerik:EditorSeparator />
            <telerik:EditorTool Name="InsertLink" />
            <telerik:EditorTool Name="Unlink" />
            <telerik:EditorTool Name="SetLinkProperties" />
            <telerik:EditorSeparator />
            <telerik:EditorTool Name="ImageManager"  />
            <telerik:EditorTool Name="SetImageProperties" />
            <telerik:EditorTool Name="ImageMapDialog"/>
            <telerik:EditorTool Name="InsertExternalVideo" Text="Insert External Video" />
            <telerik:EditorSeparator />
            <telerik:EditorTool Name="InsertTable" />
            <telerik:EditorTool Name="SetTableProperties" />
            <telerik:EditorTool Name="ToggleTableBorder" />
            <telerik:EditorSeparator />
            <telerik:EditorTool Name="DocumentManager"/>
            <telerik:EditorTool Name="InsertSymbol" />
            <telerik:EditorTool Name="InsertGroupbox" />
            <telerik:EditorTool Name="InsertHorizontalRule" />
            <telerik:EditorSeparator />
            <telerik:EditorTool Name="InsertDate" />
            <telerik:EditorTool Name="InsertTime" />
            <telerik:EditorSeparator />
            <telerik:EditorTool Name="Zoom" />
            <telerik:EditorTool Name="ToggleScreenMode" />
            <telerik:EditorSeparator />
            <telerik:EditorTool Name="AjaxSpellCheck"/>
            <telerik:EditorTool Name="Print" />
        </telerik:EditorToolGroup>
    </Tools>
    <ContextMenus>
        <telerik:EditorContextMenu TagName="IMG">
            <telerik:EditorTool Name="SetImageProperties" />
            <telerik:EditorTool Name="ImageMapDialog" />
        </telerik:EditorContextMenu>
            <telerik:EditorContextMenu TagName="TD">
            <telerik:EditorTool Name="InsertRowAbove" />
            <telerik:EditorTool Name="InsertRowBelow" />
            <telerik:EditorTool Name="DeleteRow" />
            <telerik:EditorTool Name="InsertColumnLeft" />
            <telerik:EditorTool Name="InsertColumnRight" />
            <telerik:EditorTool Name="MergeColumns" />
            <telerik:EditorTool Name="MergeRows" />
            <telerik:EditorTool Name="SplitCell" />
            <telerik:EditorTool Name="DeleteCell" />
            <telerik:EditorTool Name="SetCellProperties" />
            <telerik:EditorTool Name="SetTableProperties" />
            <telerik:EditorTool Name="DeleteTable" />
        </telerik:EditorContextMenu>
        <telerik:EditorContextMenu TagName="A">
            <telerik:EditorTool Name="SetLinkProperties" />
            <telerik:EditorTool Name="Unlink" />
        </telerik:EditorContextMenu>
        <telerik:EditorContextMenu TagName="BODY">
            <telerik:EditorTool Name="Cut" />
            <telerik:EditorTool Name="Copy" />
            <telerik:EditorTool Name="Paste" />
            <telerik:EditorTool Name="PasteFromWord" />
            <telerik:EditorTool Name="PastePlainText" />
            <telerik:EditorTool Name="PasteAsHtml" />
        </telerik:EditorContextMenu>
    </ContextMenus>
    <Content></Content>
</telerik:RadEditor>
0
Rumen
Telerik team
answered on 24 Mar 2021, 03:39 PM

Hi Dhaval,

Can you please change the TargetFramework of the application to 4.5 or later and test again:

 

      <compilation debug="false" targetFramework="4.8" />
        <httpRuntime targetFramework="4.8" />
        <pages viewStateEncryptionMode="Always" enableViewStateMac="true">
            <controls>
                <add tagPrefix="telerik" namespace="Telerik.Web.UI" assembly="Telerik.Web.UI" />
            </controls>
        </pages>
        <httpHandlers>

 

This should do the trick:

The EnableHandlerEncryption setting is responsible only for the URL querystring encryption of the Telerik handlers, it does not encrypt the ViewState. The ViewState encryption is handler by the .NET framework.

Regards,
Rumen
Progress Telerik

Love the Telerik and Kendo UI products and believe more people should try them? Invite a fellow developer to become a Progress customer and each of you can get a $50 Amazon gift voucher.

0
Dhaval
Top achievements
Rank 2
answered on 25 Mar 2021, 11:47 AM

Hello Rumen,

Thanks for your quick help, that has fixed the issue.

Asked by
Gwen
Top achievements
Rank 1
Answers by
Rumen
Telerik team
Dhaval
Top achievements
Rank 2
Share this question
or