Encode hHeaderText in radgrid to avoid xss attacks

2 posts, 0 answers
  1. Cavit
    Cavit avatar
    1 posts
    Member since:
    Sep 2014

    Posted 13 Sep 2014 Link to this post

            <telerik:GridTemplateColumn DataField="FIRSTANDLASTNAME"
                                        HeaderText="[FIRSTANDLASTNAME]" SortExpression="FIRSTANDLASTNAME" UniqueName="FIRSTANDLASTNAME"
                                        GroupByExpression="FIRSTANDLASTNAME GROUP BY FIRSTANDLASTNAME">
                                            <asp:LinkButton ID="lnkFIRSTANDLASTNAME" runat="server" Text='<%# AntiXSSEncoder.HtmlEncode(this.GetDataFromContainer(Container.DataItem, "FIRSTANDLASTNAME")) %>'
                                                OnCommand="ContactSelected_Command" />

    The value I assign to "[FIRSTANDLASTNAME]" is a dynamic value from database based on language. I wanted it to be encoded so it will not be open to xss attacks.

    ///  Below fix works but I 10s of columns in differen pages. Is there a way to encode the value without encoding one by one via UniqueName ?
            protected void MPViewGridContact_ItemCreated(object sender, GridItemEventArgs e)
                if (e.Item is GridHeaderItem)
                    GridHeaderItem headerItem = e.Item as GridHeaderItem;                var button = headerItem["FIRSTANDLASTNAME"].Controls[0] as LinkButton;
                    button.Text = AntiXSSEncoder.HtmlEncode(button.Text);            }        }
  2. Angel Petrov
    Angel Petrov avatar
    1044 posts

    Posted 18 Sep 2014 Link to this post

    Hello Cavit,

    The current implementation of the control does not expose a property or method that would allow the header text to be encoded. Considering the aforementioned I recommend following the approach you have already implemented.

    Angel Petrov

    Check out the Telerik Platform - the only platform that combines a rich set of UI tools with powerful cloud services to develop web, hybrid and native mobile apps.

Back to Top