html in window.title

4 posts, 0 answers
  1. Morten
    Morten avatar
    304 posts
    Member since:
    Jul 2012

    Posted 12 Apr Link to this post

    after upgrading to 2017 the html I have in my title property is not rendered as html.

    Has this changed?

    I used to have something like this:

             filters.kendoWindow({

                width: "210px",
                height: "470px",
                title: "Filters <span class='ise-window-title-post-fix'>drag me</span>",
                position: { top: 100, left: 5 },
                pinned: true,
                visible: false,

  2. Dimitar
    Admin
    Dimitar avatar
    176 posts

    Posted 12 Apr Link to this post

    Hello Morten,

    The observed change has been introduced after the last official Service pack (R1 SP1 2017.1.223) and it could be observed in our latest internal builds. At this point adding HTML to Kendo UI window's title property is no longer supported. This change has been introduced in order to prevent any possibility of a script injection when using html in the widget title.

    If this is important feature that you want to have, you can visit our Feedback portal and create a new feature request for Window title template.

    As a workaround I can suggest you using jQuery API to prepend/append the needed html:
    $(".k-window-title").append("<span class='custom'>drag me</div>");

    If you have any other questions, please do not hesitate to contact us.

    Regards,
    Dimitar
    Telerik by Progress
    Try our brand new, jQuery-free Angular 2 components built from ground-up which deliver the business app essential building blocks - a grid component, data visualization (charts) and form elements.
  3. tlaguz
    tlaguz avatar
    3 posts
    Member since:
    Jun 2015

    Posted 01 Jun in reply to Dimitar Link to this post

    Hello

    Dimitar said:This change has been introduced in order to prevent any possibility of a script injection when using html in the widget title.

    In what scenario if I may ask?

    This completely broke our app, because we have icon on every windows' titlebar.

  4. Dimitar
    Admin
    Dimitar avatar
    176 posts

    Posted 02 Jun Link to this post

    Hello Tomasz,

    As stated in the Window documentation about the title property, it accepts only plain text as a parameter and the use of HTML has never been suggested (this is a design flaw).

    The issue was reported in our bug tracker and it was fixed in the 2017 R1 release. This is a design concept that all of the Kendo UI widgets should follow and if you come across any other vulnerabilities, you can report them in our GitHub repository.

    Concerning your question about a specific scenario where this can lead to a malicious script being injected, take for example the use of the title in a CMS (Content Management System) solution.

    I understand that such changes cause issues with certain application implementations. But such fixes and improvements are inevitable in terms of improving the products we offer. 

    In case you are experiencing any further problems with the solution provided in the previous post, you can open a new support ticket, so that we can assist you on the case you have.

    Regards,
    Dimitar
    Progress Telerik
    Try our brand new, jQuery-free Angular 2 components built from ground-up which deliver the business app essential building blocks - a grid component, data visualization (charts) and form elements.
Back to Top