Using the Grid with inline batch editing, we noticed that when a script injection test was done, the server was throwing an error because the HTML tags are not encoded before posting.
If you try the Batch Editing demo http://demos.telerik.com/kendo-ui/grid/editing and enter something like "<script>" into the Product Name column, the server will report a 500 error.
A potentially dangerous Request.QueryString value was detected from the client (models="...uctName":"<script>","UnitPrice...").
Is kendo.stringify not properly encoding the values before posting? Suggestions to improve this scenario?
Using Kendo UI for ASP.NET MVC R3 2016
Thank you.
1 Answer, 1 is accepted
0
Hi ,
The thrown error is due to a built-in security feature in .NET called Request Validation due to which the framework does not allow submitting of tags. It recognizes any string that is placed between the '<' and '>' characters as potentially dangerous and prevents the user from submitting it. You can find detailed information on this feature and how to disable in the following resource:
Also please examine the blog post that describes how you can handle validation errors with Kendo UI Grid.
Regards,
Vessy
Telerik by Progress
The thrown error is due to a built-in security feature in .NET called Request Validation due to which the framework does not allow submitting of tags. It recognizes any string that is placed between the '<' and '>' characters as potentially dangerous and prevents the user from submitting it. You can find detailed information on this feature and how to disable in the following resource:
Also please examine the blog post that describes how you can handle validation errors with Kendo UI Grid.
Regards,
Vessy
Telerik by Progress
Check out the new UI for ASP.NET Core, the most complete UI suite for ASP.NET Core development on the market, with 60+ tried-and-tested widgets, based on Kendo UI.