This is a migrated thread and some comments may be shown as answers.
GridEditMode problems with cross-Side scripting
11 Answers 15 Views
This is a migrated thread and some comments may be shown as answers.
Ethan
Top achievements
Rank 1
Ethan asked on 18 Mar 2020, 01:35 PM

Hi I have a grid with a edit pop up.All works as expected till the user puts a script in the edit fields.On lose focus this executes the script for some reason.I have even written my own custom validation which removes this from the field but when the validator returns it executes the payload(kk</script><img src=1 onerror='alert(223)'/>).What happens in the background of the editor on focus out because my validator changes do not make a difference

 

Any help would be greatly appreciated as I have tried everything but the alert still appears..Even when the text has been removed from the textfield

11 Answers, 1 is accepted

Sort by
0
Ethan
Top achievements
Rank 1
answered on 18 Mar 2020, 08:03 PM

I can replicate this fairly easily on a Kendo Pop-Up edit in the grid 

click on edit  option in grid
paste kk</script><img src=1 onerror='alert(223)'/> into text field or area
clickOutside of the texbox 

 

Note that I can catch this if the user was to click save for example but not if the user clicks outside of the textbox

0
Ethan
Top achievements
Rank 1
answered on 19 Mar 2020, 10:54 AM

there seems to be an issue with extend the custom validator and cross side scripting.Below my validation will return false as expected but It will still go down further into the Kendo.js source code and the alertbox will appear.Even if the textarea value in the textbox has been sanitised it will still contain the prior value.Why does it do this 

 

 

qlValidation: function (input) {
    if (input.is("[name='q']")) {
        var sanitizedValue = InputContainsUnSanitizeHtml(input[0].value);
        if (sanitizedValue === true) {
            input.attr("data-qtml-msg", "@(Strings.ValidQtml)");
            var a = $("#QtmlGrid").data().kendoGrid.dataSource.data();
            input[0].value = sanitizedValue;
            return false;
        }
        //var id = $("#Id").val();
        ////input[0].value = sanitizedValue;
        //var grid = $("#QtmlGrid").data("kendoGrid");
        //var previousName = grid.dataSource.get(id).Qtml;
        //previousName = sanitizedValue;
        //$("#QtmlGrid").data().kendoGrid.dataSource.filter().filters[0].value = name;
 
        return true;
    }
    return true;
}
0
Viktor Tachev
Telerik team
answered on 20 Mar 2020, 10:19 AM

Hi Ethan,

 

I tried to replicate the described behavior with our popup editing example, however, I was not able to.

Would you send us a runnable sample where the behavior you are seeing is replicated? This will enable us to examine the issue locally and look for its cause.

 

Regards,
Viktor Tachev
Progress Telerik

Get quickly onboarded and successful with your Telerik UI for ASP.NET MVC with the dedicated Virtual Classroom technical training, available to all active customers.
0
Ethan
Top achievements
Rank 1
answered on 20 Mar 2020, 11:41 AM

Hey Viktor 

it seems that you need to extend the kendo_Ui validator with your own custom validation which the example doesnt do in order to see it .I will try extract the code out into a example 

Thanks 

Ethan 

0
Ethan
Top achievements
Rank 1
answered on 23 Mar 2020, 09:52 AM

Hi Viktor.I have looked into the a bit more and can describe a bot more what is happening.When you click outside a textbox the src in kk</script><img src=1 onerror='alert(223)'/> tries to make a call to our backend.Obviously there is no endpoint matching one so a 404 is returned and the onerror part is executed

So something happens after the on blur in the popup grid that causes the textbox to make an invalid call after the custom validator has completed.

This still also doesnt make sense as to why any changes made to the text in the validator are not carried over to kendo.min.js _validator

 

0
Ethan
Top achievements
Rank 1
answered on 23 Mar 2020, 11:58 AM

why when I remove the values from the input value and dataSource does it still go ahead to kendo _validate as the old input containing the script .I cannot find an answer for this anywhere in the forms and it seems a major xss vulnerability as all you have to do is past that code into a pop up edit in a grid and that js is executed 

 

0
Ethan
Top achievements
Rank 1
answered on 24 Mar 2020, 11:34 AM
Its precisely at this point in the kendo.min.js where it just ignores that updatedvalue in the input and model..In all other areas in the kendo.js it should the proper updated code.What is going on here?
0
Viktor Tachev
Telerik team
answered on 24 Mar 2020, 12:10 PM

Hi Ethan,

 

It would be hard to pinpoint the exact cause of the behavior without reproducing it. Would you send us a sample where the issue is replicated so we can examine it and look for its cause?

 

Regards,
Viktor Tachev
Progress Telerik

Progress is here for your business, like always. Read more about the measures we are taking to ensure business continuity and help fight the COVID-19 pandemic.
Our thoughts here at Progress are with those affected by the outbreak.
0
Ethan
Top achievements
Rank 1
answered on 25 Mar 2020, 12:03 PM

Hi Viktor  

I have created an example at the following link https://kendogrid20200324104055.azurewebsites.net/ .I just have the pop up grid working so u can follow the steps to see the behaviour

  • Press edit
  • paste kk</script><img src=1 onerror='alert(223)'/> into the QtmlValue field

Kind Regards

Ethan

0
Accepted
Viktor Tachev
Telerik team
answered on 27 Mar 2020, 12:19 PM

Hello Ethan,

 

I examined the code sample and the code and noticed that the parseHTML method is used in multiple places. If a script like the one from your post is passed to this method the code will be executed. You can see the same behavior with just a regular textarea in the dojo below. Paste kk</script><img src=1 onerror='alert(223)'/> into the textarea and click the button. The alert will be displayed on the page.

https://dojo.telerik.com/axunAxeP

 

Basically the same happens in the Grid custom popup editor. When the textarea is blurred the validation logic kicks in. That calls the InputContainsUnSanitizeHtml and sanitizeHtml methods where parseHTML is used. 

 

Regards,
Viktor Tachev
Progress Telerik

Progress is here for your business, like always. Read more about the measures we are taking to ensure business continuity and help fight the COVID-19 pandemic.
Our thoughts here at Progress are with those affected by the outbreak.
0
Ethan
Top achievements
Rank 1
answered on 30 Mar 2020, 09:07 AM

Hi Viktor 

Thank you very much for your help on this .I wouldnt have thought to look at the parseHtml.I have replaced it with regex and it seems like the alert has stopped.Thanks for your patience on this 

Ethan

Tags
Grid
Asked by
Ethan
Top achievements
Rank 1
Answers by
Ethan
Top achievements
Rank 1
Viktor Tachev
Telerik team
Share this question
or