Editing Grid with script injection testing causes a server (special characters are not encoded)

2 posts, 0 answers
  1. NerdBrick
    NerdBrick avatar
    36 posts
    Member since:
    Jan 2013

    Posted 18 Oct 2016 Link to this post

    Using the Grid with inline batch editing, we noticed that when a script injection test was done, the server was throwing an error because the HTML tags are not encoded before posting. 

    If you try the Batch Editing demo http://demos.telerik.com/kendo-ui/grid/editing and enter something like "<script>" into the Product Name column, the server will report a 500 error. 

    A potentially dangerous Request.QueryString value was detected from the client (models=&quot;...uctName&quot;:&quot;&lt;script&gt;&quot;,&quot;UnitPrice...&quot;).

    Is kendo.stringify not properly encoding the values before posting?  Suggestions to improve this scenario? 

    Using Kendo UI for ASP.NET MVC R3 2016


    Thank you. 

  2. Vessy
    Vessy avatar
    1929 posts

    Posted 20 Oct 2016 Link to this post

    Hi Brick,

    The thrown error is due to a built-in security feature in .NET called Request Validation due to which the framework does not allow submitting of tags. It recognizes any string that is placed between the '<' and '>' characters as potentially dangerous and prevents the user from submitting it. You can find detailed information on this feature and how to disable in the following resource:

    Also please examine the blog post that describes how you can handle validation errors with Kendo UI Grid.

    Telerik by Progress
    Check out the new UI for ASP.NET Core, the most complete UI suite for ASP.NET Core development on the market, with 60+ tried-and-tested widgets, based on Kendo UI.
Back to Top