Hi I have a grid with a edit pop up.All works as expected till the user puts a script in the edit fields.On lose focus this executes the script for some reason.I have even written my own custom validation which removes this from the field but when the validator returns it executes the payload(kk</script><img src=1 onerror='alert(223)'/>).What happens in the background of the editor on focus out because my validator changes do not make a difference

Any help would be greatly appreciated as I have tried everything but the alert still appears..Even when the text has been removed from the textfield

I can replicate this fairly easily on a Kendo Pop-Up edit in the grid 

click on edit  option in grid
paste kk</script><img src=1 onerror='alert(223)'/> into text field or area
clickOutside of the texbox 

Note that I can catch this if the user was to click save for example but not if the user clicks outside of the textbox

there seems to be an issue with extend the custom validator and cross side scripting.Below my validation will return false as expected but It will still go down further into the Kendo.js source code and the alertbox will appear.Even if the textarea value in the textbox has been sanitised it will still contain the prior value.Why does it do this 

Hi Ethan,

I tried to replicate the described behavior with our popup editing example, however, I was not able to.

Would you send us a runnable sample where the behavior you are seeing is replicated? This will enable us to examine the issue locally and look for its cause.

Regards,
Viktor Tachev
Progress Telerik

Hey Viktor 

it seems that you need to extend the kendo_Ui validator with your own custom validation which the example doesnt do in order to see it .I will try extract the code out into a example 

Thanks 

Ethan 

Hi Viktor.I have looked into the a bit more and can describe a bot more what is happening.When you click outside a textbox the src in kk</script><img src=1 onerror='alert(223)'/> tries to make a call to our backend.Obviously there is no endpoint matching one so a 404 is returned and the onerror part is executed

So something happens after the on blur in the popup grid that causes the textbox to make an invalid call after the custom validator has completed.

This still also doesnt make sense as to why any changes made to the text in the validator are not carried over to kendo.min.js _validator

why when I remove the values from the input value and dataSource does it still go ahead to kendo _validate as the old input containing the script .I cannot find an answer for this anywhere in the forms and it seems a major xss vulnerability as all you have to do is past that code into a pop up edit in a grid and that js is executed 

Hi Ethan,

It would be hard to pinpoint the exact cause of the behavior without reproducing it. Would you send us a sample where the issue is replicated so we can examine it and look for its cause?

Regards,
Viktor Tachev
Progress Telerik

Hi Viktor  

I have created an example at the following link https://kendogrid20200324104055.azurewebsites.net/ .I just have the pop up grid working so u can follow the steps to see the behaviour

• Press edit
• paste kk</script><img src=1 onerror='alert(223)'/> into the QtmlValue field

Kind Regards

Ethan

Hi Viktor 

Thank you very much for your help on this .I wouldnt have thought to look at the parseHtml.I have replaced it with regex and it seems like the alert has stopped.Thanks for your patience on this 

Ethan