GridEditMode problems with cross-Side scripting

12 posts, 1 answers
  1. Ethan
    Ethan avatar
    18 posts
    Member since:
    Mar 2020

    Posted 18 Mar 2020 Link to this post

    Hi I have a grid with a edit pop up.All works as expected till the user puts a script in the edit fields.On lose focus this executes the script for some reason.I have even written my own custom validation which removes this from the field but when the validator returns it executes the payload(kk</script><img src=1 onerror='alert(223)'/>).What happens in the background of the editor on focus out because my validator changes do not make a difference

     

    Any help would be greatly appreciated as I have tried everything but the alert still appears..Even when the text has been removed from the textfield

  2. Ethan
    Ethan avatar
    18 posts
    Member since:
    Mar 2020

    Posted 18 Mar 2020 Link to this post

    I can replicate this fairly easily on a Kendo Pop-Up edit in the grid 

    click on edit  option in grid
    paste kk</script><img src=1 onerror='alert(223)'/> into text field or area
    clickOutside of the texbox 

     

    Note that I can catch this if the user was to click save for example but not if the user clicks outside of the textbox

  3. Ethan
    Ethan avatar
    18 posts
    Member since:
    Mar 2020

    Posted 19 Mar 2020 Link to this post

    there seems to be an issue with extend the custom validator and cross side scripting.Below my validation will return false as expected but It will still go down further into the Kendo.js source code and the alertbox will appear.Even if the textarea value in the textbox has been sanitised it will still contain the prior value.Why does it do this 

     

     

    qlValidation: function (input) {
        if (input.is("[name='q']")) {
            var sanitizedValue = InputContainsUnSanitizeHtml(input[0].value);
            if (sanitizedValue === true) {
                input.attr("data-qtml-msg", "@(Strings.ValidQtml)");
                var a = $("#QtmlGrid").data().kendoGrid.dataSource.data();
                input[0].value = sanitizedValue;
                return false;
            }
            //var id = $("#Id").val();
            ////input[0].value = sanitizedValue;
            //var grid = $("#QtmlGrid").data("kendoGrid");
            //var previousName = grid.dataSource.get(id).Qtml;
            //previousName = sanitizedValue;
            //$("#QtmlGrid").data().kendoGrid.dataSource.filter().filters[0].value = name;
     
            return true;
        }
        return true;
    }
  4. Viktor Tachev
    Admin
    Viktor Tachev avatar
    2497 posts

    Posted 20 Mar 2020 Link to this post

    Hi Ethan,

     

    I tried to replicate the described behavior with our popup editing example, however, I was not able to.

    Would you send us a runnable sample where the behavior you are seeing is replicated? This will enable us to examine the issue locally and look for its cause.

     

    Regards,
    Viktor Tachev
    Progress Telerik

    Get quickly onboarded and successful with your Telerik UI for ASP.NET MVC with the dedicated Virtual Classroom technical training, available to all active customers.
  5. Ethan
    Ethan avatar
    18 posts
    Member since:
    Mar 2020

    Posted 20 Mar 2020 in reply to Viktor Tachev Link to this post

    Hey Viktor 

    it seems that you need to extend the kendo_Ui validator with your own custom validation which the example doesnt do in order to see it .I will try extract the code out into a example 

    Thanks 

    Ethan 

  6. Ethan
    Ethan avatar
    18 posts
    Member since:
    Mar 2020

    Posted 23 Mar 2020 in reply to Viktor Tachev Link to this post

    Hi Viktor.I have looked into the a bit more and can describe a bot more what is happening.When you click outside a textbox the src in kk</script><img src=1 onerror='alert(223)'/> tries to make a call to our backend.Obviously there is no endpoint matching one so a 404 is returned and the onerror part is executed

    So something happens after the on blur in the popup grid that causes the textbox to make an invalid call after the custom validator has completed.

    This still also doesnt make sense as to why any changes made to the text in the validator are not carried over to kendo.min.js _validator

     

  7. Ethan
    Ethan avatar
    18 posts
    Member since:
    Mar 2020

    Posted 23 Mar 2020 Link to this post

    why when I remove the values from the input value and dataSource does it still go ahead to kendo _validate as the old input containing the script .I cannot find an answer for this anywhere in the forms and it seems a major xss vulnerability as all you have to do is past that code into a pop up edit in a grid and that js is executed 

     

  8. Ethan
    Ethan avatar
    18 posts
    Member since:
    Mar 2020

    Posted 24 Mar 2020 Link to this post

    Its precisely at this point in the kendo.min.js where it just ignores that updatedvalue in the input and model..In all other areas in the kendo.js it should the proper updated code.What is going on here?
  9. Viktor Tachev
    Admin
    Viktor Tachev avatar
    2497 posts

    Posted 24 Mar 2020 Link to this post

    Hi Ethan,

     

    It would be hard to pinpoint the exact cause of the behavior without reproducing it. Would you send us a sample where the issue is replicated so we can examine it and look for its cause?

     

    Regards,
    Viktor Tachev
    Progress Telerik

    Progress is here for your business, like always. Read more about the measures we are taking to ensure business continuity and help fight the COVID-19 pandemic.
    Our thoughts here at Progress are with those affected by the outbreak.
  10. Ethan
    Ethan avatar
    18 posts
    Member since:
    Mar 2020

    Posted 25 Mar 2020 in reply to Viktor Tachev Link to this post

    Hi Viktor  

    I have created an example at the following link https://kendogrid20200324104055.azurewebsites.net/ .I just have the pop up grid working so u can follow the steps to see the behaviour

    • Press edit
    • paste kk</script><img src=1 onerror='alert(223)'/> into the QtmlValue field

    Kind Regards

    Ethan

  11. Answer
    Viktor Tachev
    Admin
    Viktor Tachev avatar
    2497 posts

    Posted 27 Mar 2020 Link to this post

    Hello Ethan,

     

    I examined the code sample and the code and noticed that the parseHTML method is used in multiple places. If a script like the one from your post is passed to this method the code will be executed. You can see the same behavior with just a regular textarea in the dojo below. Paste kk</script><img src=1 onerror='alert(223)'/> into the textarea and click the button. The alert will be displayed on the page.

    https://dojo.telerik.com/axunAxeP

     

    Basically the same happens in the Grid custom popup editor. When the textarea is blurred the validation logic kicks in. That calls the InputContainsUnSanitizeHtml and sanitizeHtml methods where parseHTML is used. 

     

    Regards,
    Viktor Tachev
    Progress Telerik

    Progress is here for your business, like always. Read more about the measures we are taking to ensure business continuity and help fight the COVID-19 pandemic.
    Our thoughts here at Progress are with those affected by the outbreak.
  12. Ethan
    Ethan avatar
    18 posts
    Member since:
    Mar 2020

    Posted 30 Mar 2020 in reply to Viktor Tachev Link to this post

    Hi Viktor 

    Thank you very much for your help on this .I wouldnt have thought to look at the parseHtml.I have replaced it with regex and it seems like the alert has stopped.Thanks for your patience on this 

    Ethan

Back to Top