Grid XSS?

4 posts, 0 answers
  1. Chris
    Chris avatar
    171 posts
    Member since:
    Oct 2006

    Posted 22 Sep 2008 Link to this post


    Just want to know if Grid has the ability to do Server.HtmlEncode while data is binding to the Grid to avoid any XSS attack.

  2. Vlad
    Vlad avatar
    11100 posts

    Posted 23 Sep 2008 Link to this post

    Hi Chris,

    As far as we know the grid is not vulnerable to XSS attacks. Let me know if you find such vulnerability.

    All the best,
    the Telerik team

    Check out Telerik Trainer, the state of the art learning tool for Telerik products.
  3. Rob T
    Rob T avatar
    44 posts
    Member since:
    Jul 2007

    Posted 09 Feb 2009 Link to this post


    I have a similar request as Chris, I'd like to HtmlEncode the grid output.  You state that you do not think that the radgrid is vulnerable to xss attacks, and after playing around a bit thats partially true.  When I try to do some test inserts on your radgrid demo pages my attempts at adding <script>alert("foo")</script> tags fail.  This is a good start, were halfway there.  

    Where I start to have problems is if I insert the same test script into my database record and then populate the radgrid.  Unfortunatly the alert gets run.  I think this is a problem.  

    Since my data is not always comming in via means I can control I need to make sure it's safely displayed.  The capacity to display GridBoundColumns with some sort of HtmlEncoding could mitigate this issue.

    I realize I can handle with a GridTemplateColumn, or in the OnBound event, but your controls are easy to use and I'd rather keep it that way.


  4. Roatin Marth
    Roatin Marth avatar
    65 posts
    Member since:
    Nov 2007

    Posted 09 Feb 2009 Link to this post

    Good timing of this question. See a question I just asked related to an XSS vulnerability in the grid at
Back to Top