The viewstate or application's pages are already encrypted but looking at the Burp output of the response from a POST to the Telerik.UI.DialogHandler (ImageMananger) it seems the Telerik view state in the response appears not to be.
We've generated and specified the DialogParametersEncryptionKey, ConfigurationEncryptionKey, and ConfigurationHashKey keys in the site level web.config as described in article https://docs.telerik.com/devtools/aspnet-ajax/controls/editor/functionality/dialogs/security. This didn't change the viewstate.
The machine key in IIS is set for auto-generation.
I'm only assuming the Telerik viewstate can be encrypted because what I've read seems to imply that, but I haven't found a clear example so I'm not sure.
6 Answers, 1 is accepted
Hi Gwen,
Yesterday, I converted your forum thread to a General Feedback ticket due to that I requested more info for your project.
I am pasting my answer here, but let's continue the discussion there:
Thank you for reporting this problem!
I converted the forum to a private ticket since its resolution might require information for your project.
Can you please perform two steps and report the result:
- test with the latest version 2020.1.219 (R1 2020 SP1) - for your convenience I have attached the trial assembly of the latest release.
- set this attribute in the web.config file, save it and retest:
<appSettings> <add key="Telerik.ScriptManager.EnableHandlerEncryption" value="true"/> ... <appSettings>
If the problem still persists, please provide the web.config of your project plus a link or the name of the tool you use to inspect and decode the ViewState
Regards,
Rumen
Progress Telerik
Our thoughts here at Progress are with those affected by the outbreak.
Hello Rumen,
We are using burp suite tool and that shows the view state for radeditor when we try to insert the image.
I have also added EnableHandlerEncryption in web.config and still we are getting same issue.
Telerik assembly version that we are using is : 2020.1.114.45
Let me know if you need more information, I can share them with you.
Hi Dhaval,
Can you please record and provide a short video demonstrating the RadEditor configuration, the web.config file and how do you replicate the viewstate scenario in Burp? This will help me to recreate the scenario.
Thank you!
Regards,
Rumen
Progress Telerik
Virtual Classroom, the free self-paced technical training that gets you up to speed with Telerik and Kendo UI products quickly just got a fresh new look + new and improved content including a brand new Blazor course! Check it out at https://learn.telerik.com/.
Hello Rumen,
Thanks you for quick response.
I do not see any option to attach video here, so I am attaching the screenshots.
ImageEditor_1: In RadEditor I have clicked on imager manager and selected the image (I have only selected the image in radeditor).
BurpSuite_1: After following above step, I checked the logs in burp suite and found that view state is not encrypted.
I have added below line in appsettings of web.config:
<
add
key
=
"Telerik.ScriptManager.EnableHandlerEncryption"
value
=
"true"
/>
I have added code snippet for rad editor below:
<
telerik:RadEditor
CssClass
=
"NewsEditor"
RenderMode
=
"Lightweight"
runat
=
"server"
ID
=
"NewsEditor"
Enabled
=
"False"
AutoResizeHeight
=
"True"
EnableEmbeddedSkins
=
"True"
Skin
=
"Silk"
DialogsCssFile
=
"~/Content/TelerikEditorDialog.css"
>
<
CssFiles
>
<
telerik:EditorCssFile
Value
=
""
/>
</
CssFiles
>
<
Tools
>
<
telerik:EditorToolGroup
Tag
=
"FormatToolbar"
>
<
telerik:EditorTool
Name
=
"ApplyClass"
/>
<
telerik:EditorTool
Name
=
"StyleBuilder"
/>
<
telerik:EditorSeparator
/>
<
telerik:EditorTool
Name
=
"FontName"
/>
<
telerik:EditorTool
Name
=
"FontSize"
/>
<
telerik:EditorTool
Name
=
"RealFontSize"
/>
<
telerik:EditorSeparator
/>
<
telerik:EditorTool
Name
=
"Bold"
/>
<
telerik:EditorTool
Name
=
"Italic"
/>
<
telerik:EditorTool
Name
=
"Underline"
/>
<
telerik:EditorTool
Name
=
"StrikeThrough"
/>
<
telerik:EditorTool
Name
=
"ForeColor"
/>
<
telerik:EditorTool
Name
=
"BackColor"
/>
<
telerik:EditorSeparator
/>
<
telerik:EditorTool
Name
=
"JustifyLeft"
/>
<
telerik:EditorTool
Name
=
"JustifyCenter"
/>
<
telerik:EditorTool
Name
=
"JustifyRight"
/>
<
telerik:EditorTool
Name
=
"JustifyFull"
/>
<
telerik:EditorTool
Name
=
"JustifyNone"
/>
<
telerik:EditorSeparator
/>
<
telerik:EditorTool
Name
=
"Indent"
/>
<
telerik:EditorTool
Name
=
"Outdent"
/>
<
telerik:EditorTool
Name
=
"InsertOrderedList"
/>
<
telerik:EditorTool
Name
=
"InsertUnorderedList"
/>
<
telerik:EditorSeparator
/>
<
telerik:EditorTool
Name
=
"ConvertToLower"
/>
<
telerik:EditorTool
Name
=
"ConvertToUpper"
/>
<
telerik:EditorTool
Name
=
"Superscript"
/>
<
telerik:EditorTool
Name
=
"Subscript"
/>
</
telerik:EditorToolGroup
>
<
telerik:EditorToolGroup
Tag
=
"MainToolbar"
>
<
telerik:EditorTool
Name
=
"Undo"
/>
<
telerik:EditorTool
Name
=
"Redo"
/>
<
telerik:EditorSeparator
/>
<
telerik:EditorTool
Name
=
"FindAndReplace"
/>
<
telerik:EditorTool
Name
=
"SelectAll"
/>
<
telerik:EditorSeparator
/>
<
telerik:EditorTool
Name
=
"Cut"
/>
<
telerik:EditorTool
Name
=
"Copy"
/>
<
telerik:EditorTool
Name
=
"Paste"
shortcut
=
"CTRL+!"
/>
<
telerik:EditorTool
Name
=
"PastePlainText"
/>
<
telerik:EditorTool
Name
=
"FormatPainter"
/>
<
telerik:EditorSeparator
/>
<
telerik:EditorTool
Name
=
"InsertLink"
/>
<
telerik:EditorTool
Name
=
"Unlink"
/>
<
telerik:EditorTool
Name
=
"SetLinkProperties"
/>
<
telerik:EditorSeparator
/>
<
telerik:EditorTool
Name
=
"ImageManager"
/>
<
telerik:EditorTool
Name
=
"SetImageProperties"
/>
<
telerik:EditorTool
Name
=
"ImageMapDialog"
/>
<
telerik:EditorTool
Name
=
"InsertExternalVideo"
Text
=
"Insert External Video"
/>
<
telerik:EditorSeparator
/>
<
telerik:EditorTool
Name
=
"InsertTable"
/>
<
telerik:EditorTool
Name
=
"SetTableProperties"
/>
<
telerik:EditorTool
Name
=
"ToggleTableBorder"
/>
<
telerik:EditorSeparator
/>
<
telerik:EditorTool
Name
=
"DocumentManager"
/>
<
telerik:EditorTool
Name
=
"InsertSymbol"
/>
<
telerik:EditorTool
Name
=
"InsertGroupbox"
/>
<
telerik:EditorTool
Name
=
"InsertHorizontalRule"
/>
<
telerik:EditorSeparator
/>
<
telerik:EditorTool
Name
=
"InsertDate"
/>
<
telerik:EditorTool
Name
=
"InsertTime"
/>
<
telerik:EditorSeparator
/>
<
telerik:EditorTool
Name
=
"Zoom"
/>
<
telerik:EditorTool
Name
=
"ToggleScreenMode"
/>
<
telerik:EditorSeparator
/>
<
telerik:EditorTool
Name
=
"AjaxSpellCheck"
/>
<
telerik:EditorTool
Name
=
"Print"
/>
</
telerik:EditorToolGroup
>
</
Tools
>
<
ContextMenus
>
<
telerik:EditorContextMenu
TagName
=
"IMG"
>
<
telerik:EditorTool
Name
=
"SetImageProperties"
/>
<
telerik:EditorTool
Name
=
"ImageMapDialog"
/>
</
telerik:EditorContextMenu
>
<
telerik:EditorContextMenu
TagName
=
"TD"
>
<
telerik:EditorTool
Name
=
"InsertRowAbove"
/>
<
telerik:EditorTool
Name
=
"InsertRowBelow"
/>
<
telerik:EditorTool
Name
=
"DeleteRow"
/>
<
telerik:EditorTool
Name
=
"InsertColumnLeft"
/>
<
telerik:EditorTool
Name
=
"InsertColumnRight"
/>
<
telerik:EditorTool
Name
=
"MergeColumns"
/>
<
telerik:EditorTool
Name
=
"MergeRows"
/>
<
telerik:EditorTool
Name
=
"SplitCell"
/>
<
telerik:EditorTool
Name
=
"DeleteCell"
/>
<
telerik:EditorTool
Name
=
"SetCellProperties"
/>
<
telerik:EditorTool
Name
=
"SetTableProperties"
/>
<
telerik:EditorTool
Name
=
"DeleteTable"
/>
</
telerik:EditorContextMenu
>
<
telerik:EditorContextMenu
TagName
=
"A"
>
<
telerik:EditorTool
Name
=
"SetLinkProperties"
/>
<
telerik:EditorTool
Name
=
"Unlink"
/>
</
telerik:EditorContextMenu
>
<
telerik:EditorContextMenu
TagName
=
"BODY"
>
<
telerik:EditorTool
Name
=
"Cut"
/>
<
telerik:EditorTool
Name
=
"Copy"
/>
<
telerik:EditorTool
Name
=
"Paste"
/>
<
telerik:EditorTool
Name
=
"PasteFromWord"
/>
<
telerik:EditorTool
Name
=
"PastePlainText"
/>
<
telerik:EditorTool
Name
=
"PasteAsHtml"
/>
</
telerik:EditorContextMenu
>
</
ContextMenus
>
<
Content
></
Content
>
</
telerik:RadEditor
>
Hi Dhaval,
Can you please change the TargetFramework of the application to 4.5 or later and test again:
<compilation debug="false" targetFramework="4.8" />
<httpRuntime targetFramework="4.8" />
<pages viewStateEncryptionMode="Always" enableViewStateMac="true">
<controls>
<add tagPrefix="telerik" namespace="Telerik.Web.UI" assembly="Telerik.Web.UI" />
</controls>
</pages>
<httpHandlers>
This should do the trick:
The EnableHandlerEncryption setting is responsible only for the URL querystring encryption of the Telerik handlers, it does not encrypt the ViewState. The ViewState encryption is handler by the .NET framework.
Regards,
Rumen
Progress Telerik
Love the Telerik and Kendo UI products and believe more people should try them? Invite a fellow developer to become a Progress customer and each of you can get a $50 Amazon gift voucher.
Hello Rumen,
Thanks for your quick help, that has fixed the issue.