This is a migrated thread and some comments may be shown as answers.

Editing Grid with script injection testing causes a server (special characters are not encoded)

1 Answer 52 Views
Grid
This is a migrated thread and some comments may be shown as answers.
NerdBrick
Top achievements
Rank 1
NerdBrick asked on 18 Oct 2016, 10:23 PM

Using the Grid with inline batch editing, we noticed that when a script injection test was done, the server was throwing an error because the HTML tags are not encoded before posting. 

If you try the Batch Editing demo http://demos.telerik.com/kendo-ui/grid/editing and enter something like "<script>" into the Product Name column, the server will report a 500 error. 

A potentially dangerous Request.QueryString value was detected from the client (models=&quot;...uctName&quot;:&quot;&lt;script&gt;&quot;,&quot;UnitPrice...&quot;).

Is kendo.stringify not properly encoding the values before posting?  Suggestions to improve this scenario? 

Using Kendo UI for ASP.NET MVC R3 2016

 

Thank you. 

1 Answer, 1 is accepted

Sort by
0
Vessy
Telerik team
answered on 20 Oct 2016, 08:50 AM
Hi Brick,

The thrown error is due to a built-in security feature in .NET called Request Validation due to which the framework does not allow submitting of tags. It recognizes any string that is placed between the '<' and '>' characters as potentially dangerous and prevents the user from submitting it. You can find detailed information on this feature and how to disable in the following resource:


Also please examine the blog post that describes how you can handle validation errors with Kendo UI Grid.


Regards,
Vessy
Telerik by Progress
Check out the new UI for ASP.NET Core, the most complete UI suite for ASP.NET Core development on the market, with 60+ tried-and-tested widgets, based on Kendo UI.
Tags
Grid
Asked by
NerdBrick
Top achievements
Rank 1
Answers by
Vessy
Telerik team
Share this question
or