Can the Rad Editor Viewstate be Encrypted ?

Hi Gwen,

Yesterday, I converted your forum thread to a General Feedback ticket due to that I requested more info for your project.

I am pasting my answer here, but let's continue the discussion there:

Thank you for reporting this problem!

I converted the forum to a private ticket since its resolution might require information for your project.

Can you please perform two steps and report the result:

• test with the latest version 2020.1.219 (R1 2020 SP1) - for your convenience I have attached the trial assembly of the latest release.
• set this attribute in the web.config file, save it and retest:
  
  

  <appSettings>
    <add key="Telerik.ScriptManager.EnableHandlerEncryption" value="true"/>
    ...
  <appSettings>

If the problem still persists, please provide the web.config of your project plus a link or the name of the tool you use to inspect and decode the ViewState

Regards,
Rumen
Progress Telerik

Hello Rumen,

We are using burp suite tool and that shows the view state for radeditor when we try to insert the image.

I have also added EnableHandlerEncryption in web.config and still we are getting same issue.

Telerik assembly version that we are using is : 2020.1.114.45

Let me know if you need more information, I can share them with you.

Hi Dhaval,

Can you please record and provide a short video demonstrating the RadEditor configuration, the web.config file and how do you replicate the viewstate scenario in Burp? This will help me to recreate the scenario.

Thank you!

Regards,
Rumen
Progress Telerik

Hello Rumen,

Thanks you for quick response.

I do not see any option to attach video here, so I am attaching the screenshots.

ImageEditor_1: In RadEditor I have clicked on imager manager and selected the image (I have only selected the image in radeditor).

BurpSuite_1: After following above step, I checked the logs in burp suite and found that view state is not encrypted.

I have added below line in appsettings of web.config:

I have added code snippet for rad editor below:

Hi Dhaval,

Can you please change the TargetFramework of the application to 4.5 or later and test again:

      <compilation debug="false" targetFramework="4.8" />
        <httpRuntime targetFramework="4.8" />
        <pages viewStateEncryptionMode="Always" enableViewStateMac="true">
            <controls>
                <add tagPrefix="telerik" namespace="Telerik.Web.UI" assembly="Telerik.Web.UI" />
            </controls>
        </pages>
        <httpHandlers>

This should do the trick:

The EnableHandlerEncryption setting is responsible only for the URL querystring encryption of the Telerik handlers, it does not encrypt the ViewState. The ViewState encryption is handler by the .NET framework.

Regards,
Rumen
Progress Telerik

Hello Rumen,

Thanks for your quick help, that has fixed the issue.