Hi Tsvetomir,
I'm probably not understanding this correctly.. but the issue is I can't handle this in the widget event because the Rapid7 Appspider security scan is accessing the controller directly and not via the widget. for example:
https://mysite.com/Grid/Orders_Read?filter=./*][
I can validate/handle the vulnerable and potentially harmful scripts on the server-side in the controller except for some reason, when the "filter" parameter is used, the controller is never hit. A generic .NET core error is returned, but I'd rather handle/validate for a bogus value for the "filter" parameter. Here's the stack of the error I get:
FilterParserException: Expected token
Kendo.Mvc.Infrastructure.Implementation.FilterLexer.Tokenize()
Kendo.Mvc.Infrastructure.Implementation.FilterParser..ctor(string input)
Kendo.Mvc.Infrastructure.FilterDescriptorFactory.Create(string input)
Kendo.Mvc.UI.DataSourceRequestModelBinder+<>c__DisplayClass2_0.<CreateDataSourceRequest>b__3(string filter)
Kendo.Mvc.UI.DataSourceRequestModelBinder.TryGetValue<T>(ModelMetadata
modelMetadata, IValueProvider valueProvider, string modelName, string
key, Action<T> action)
Kendo.Mvc.UI.DataSourceRequestModelBinder.CreateDataSourceRequest(ModelMetadata
modelMetadata, IValueProvider valueProvider, string modelName)
Kendo.Mvc.UI.DataSourceRequestModelBinder.BindModelAsync(ModelBindingContext bindingContext)
Microsoft.AspNetCore.Mvc.ModelBinding.Binders.BinderTypeModelBinder.BindModelAsync(ModelBindingContext bindingContext)
Microsoft.AspNetCore.Mvc.ModelBinding.ParameterBinder.BindModelAsync(ActionContext
actionContext, IModelBinder modelBinder, IValueProvider valueProvider,
ParameterDescriptor parameter, ModelMetadata metadata, object value)
Microsoft.AspNetCore.Mvc.Internal.ControllerBinderDelegateProvider+<>c__DisplayClass0_0+<<CreateBinderDelegate>g__Bind|0>d.MoveNext()
Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.InvokeInnerFilterAsync()
Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.InvokeNextResourceFilter()
Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.Rethrow(ResourceExecutedContext context)
Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.Next(ref State next, ref Scope scope, ref object state, ref bool isCompleted)
Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.InvokeFilterPipelineAsync()
Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.InvokeAsync()
Microsoft.AspNetCore.Builder.RouterMiddleware.Invoke(HttpContext httpContext)
Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware.Invoke(HttpContext context)
Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)
Thank you.