Hi Team,
We recently ran security scan on our web application which using "https://kendo.cdn.telerik.com/2020.2.513" Version.
and we encountered one scenario where Cross Site script executed even though we implemented encode and decode.
Scenari: User opens editor -> Clicks Insert Link Option.
We filled URL, Text inputs and for Tooltip fields we input Cross Site Script i.e (">">">"><script>alert(document.cookie);</script>)
and we clicked INSERT.
Basically the Tooltip field will break the anchor tag title parameter and script will execute.
Though we have implemented HTML encode and Decode we still experiencing this alert popup with cookie data while encode and Save and also Decode and Show.
Thanks In Advance.
Please let us know is there any inbuilt functionality in Kendo to handle this type of issue.
Hi Mark,
I tested with the latest version of Kendo UI and the issue described does not happen there: https://demos.telerik.com/kendo-ui/editor/index. If this is related to the version you are using consider upgrading to a recent version.
Also, note, that even if the script is executed after inserting the link in the content area that still does not lead to a valid XSS attack. You should check if submitting or getting the content via the value method retrieves the script injections. Encoding happens when content is submitted or retrieved. You can check this article for further details: https://docs.telerik.com/kendo-ui/controls/editors/editor/preventing-xss.