Hi I have a grid with a edit pop up.All works as expected till the user puts a script in the edit fields.On lose focus this executes the script for some reason.I have even written my own custom validation which removes this from the field but when the validator returns it executes the payload(kk</script><img src=1 onerror='alert(223)'/>).What happens in the background of the editor on focus out because my validator changes do not make a difference
Any help would be greatly appreciated as I have tried everything but the alert still appears..Even when the text has been removed from the textfield
11 Answers, 1 is accepted
Rank 1
I can replicate this fairly easily on a Kendo Pop-Up edit in the grid
click on edit option in grid
paste kk</script><img src=1 onerror='alert(223)'/> into text field or area
clickOutside of the texbox
Note that I can catch this if the user was to click save for example but not if the user clicks outside of the textbox
Rank 1
there seems to be an issue with extend the custom validator and cross side scripting.Below my validation will return false as expected but It will still go down further into the Kendo.js source code and the alertbox will appear.Even if the textarea value in the textbox has been sanitised it will still contain the prior value.Why does it do this
qlValidation: function (input) { if (input.is("[name='q']")) { var sanitizedValue = InputContainsUnSanitizeHtml(input[0].value); if (sanitizedValue === true) { input.attr("data-qtml-msg", "@(Strings.ValidQtml)"); var a = $("#QtmlGrid").data().kendoGrid.dataSource.data(); input[0].value = sanitizedValue; return false; } //var id = $("#Id").val(); ////input[0].value = sanitizedValue; //var grid = $("#QtmlGrid").data("kendoGrid"); //var previousName = grid.dataSource.get(id).Qtml; //previousName = sanitizedValue; //$("#QtmlGrid").data().kendoGrid.dataSource.filter().filters[0].value = name; return true; } return true;}
Hi Ethan,
I tried to replicate the described behavior with our popup editing example, however, I was not able to.
Would you send us a runnable sample where the behavior you are seeing is replicated? This will enable us to examine the issue locally and look for its cause.
Regards,
Viktor Tachev
Progress Telerik
Rank 1
Hey Viktor
it seems that you need to extend the kendo_Ui validator with your own custom validation which the example doesnt do in order to see it .I will try extract the code out into a example
Thanks
Ethan
Rank 1
Hi Viktor.I have looked into the a bit more and can describe a bot more what is happening.When you click outside a textbox the src in kk</script><img src=1 onerror='alert(223)'/> tries to make a call to our backend.Obviously there is no endpoint matching one so a 404 is returned and the onerror part is executed
So something happens after the on blur in the popup grid that causes the textbox to make an invalid call after the custom validator has completed.
This still also doesnt make sense as to why any changes made to the text in the validator are not carried over to kendo.min.js _validator
Rank 1
why when I remove the values from the input value and dataSource does it still go ahead to kendo _validate as the old input containing the script .I cannot find an answer for this anywhere in the forms and it seems a major xss vulnerability as all you have to do is past that code into a pop up edit in a grid and that js is executed
Rank 1
Hi Ethan,
It would be hard to pinpoint the exact cause of the behavior without reproducing it. Would you send us a sample where the issue is replicated so we can examine it and look for its cause?
Regards,
Viktor Tachev
Progress Telerik
Our thoughts here at Progress are with those affected by the outbreak.
Rank 1
Hi Viktor
I have created an example at the following link https://kendogrid20200324104055.azurewebsites.net/ .I just have the pop up grid working so u can follow the steps to see the behaviour
- Press edit
- paste kk</script><img src=1 onerror='alert(223)'/> into the QtmlValue field
Kind Regards
Ethan
Hello Ethan,
I examined the code sample and the code and noticed that the parseHTML method is used in multiple places. If a script like the one from your post is passed to this method the code will be executed. You can see the same behavior with just a regular textarea in the dojo below. Paste kk</script><img src=1 onerror='alert(223)'/> into the textarea and click the button. The alert will be displayed on the page.
https://dojo.telerik.com/axunAxeP
Basically the same happens in the Grid custom popup editor. When the textarea is blurred the validation logic kicks in. That calls the InputContainsUnSanitizeHtml and sanitizeHtml methods where parseHTML is used.
Regards,
Viktor Tachev
Progress Telerik
Our thoughts here at Progress are with those affected by the outbreak.
Rank 1
Hi Viktor
Thank you very much for your help on this .I wouldnt have thought to look at the parseHtml.I have replaced it with regex and it seems like the alert has stopped.Thanks for your patience on this
Ethan