How to prevent inline paste from executing html

3 posts, 0 answers
  1. Benjamin
    Benjamin avatar
    2 posts
    Member since:
    Jul 2020

    Posted 14 Jul 2020 Link to this post

    Hello,

     

    I am looking for help regarding preventing a kendo spreadsheet from executing html that is pasted into a cell.  I have tried $(document).on('paste', function () {}) and the kendo paste function prevent defaults, but neither or these worked.  Any suggestions?

    Example:

    Dojo: https://dojo.telerik.com/AjomeMOH/5

    Paste value : <img src=x onerror=alert(123)>

     

    Thanks

  2. Benjamin
    Benjamin avatar
    2 posts
    Member since:
    Jul 2020

    Posted 16 Jul 2020 in reply to Benjamin Link to this post

    I figured it out.  Something within the init() of the paste command was causing this issue.  A workaround is to encode the text for the init() command and then decode it within the spreadsheet paste event.  see this Dojo for an example: https://dojo.telerik.com/AjomeMOH/23
  3. Ivan Danchev
    Admin
    Ivan Danchev avatar
    2187 posts

    Posted 16 Jul 2020 Link to this post

    Hello Benjamin,

    This is an interesting approach. Thank you for sharing it with the community. I am sure it will be helpful to anyone that faces this scenario.

    Regards,
    Ivan Danchev
    Progress Telerik

Back to Top