after upgrading to 2017 the html I have in my title property is not rendered as html.
Has this changed?
I used to have something like this:
filters.kendoWindow({
width: "210px",
height: "470px",
title: "Filters <span class='ise-window-title-post-fix'>drag me</span>",
position: { top: 100, left: 5 },
pinned: true,
visible: false,
12 Answers, 1 is accepted
The observed change has been introduced after the last official Service pack (R1 SP1 2017.1.223) and it could be observed in our latest internal builds. At this point adding HTML to Kendo UI window's title property is no longer supported. This change has been introduced in order to prevent any possibility of a script injection when using html in the widget title.
If this is important feature that you want to have, you can visit our Feedback portal and create a new feature request for Window title template.
As a workaround I can suggest you using jQuery API to prepend/append the needed html:
$(
".k-window-title"
).append(
"<span class='custom'>drag me</div>"
);
If you have any other questions, please do not hesitate to contact us.
Regards,
Dimitar
Telerik by Progress
Hello
[quote]Dimitar said:This change has been introduced in order to prevent any possibility of a script injection when using html in the widget title.[/quote]
In what scenario if I may ask?
This completely broke our app, because we have icon on every windows' titlebar.
Hello Tomasz,
As stated in the Window documentation about the title property, it accepts only plain text as a parameter and the use of HTML has never been suggested (this is a design flaw).
The issue was reported in our bug tracker and it was fixed in the 2017 R1 release. This is a design concept that all of the Kendo UI widgets should follow and if you come across any other vulnerabilities, you can report them in our GitHub repository.
Concerning your question about a specific scenario where this can lead to a malicious script being injected, take for example the use of the title in a CMS (Content Management System) solution.
I understand that such changes cause issues with certain application implementations. But such fixes and improvements are inevitable in terms of improving the products we offer.
In case you are experiencing any further problems with the solution provided in the previous post, you can open a new support ticket, so that we can assist you on the case you have.
Regards,Dimitar
Progress Telerik
As some time has passed what have others done about this? We've just upgraded and hit the same issue.
I can't say I understand the issue given that we can switch off encoding in other places, e.g. in kendoGrids.
It should be optional and on by default, if the text doesn't contains any text coming from the user then it's safe
I have logged a new enhancement issue in the Kendo UI GitHub repository for enhancing the title() option of the Window. You can start tracking it form item #4284.
Regards,
Dimitar
Progress Telerik
Hi
I see that #4284 has just been closed. Is that because it's been done or because you're not going to do it?
It's still an issue for us, we've had to manually change your code to enable this, which makes upgrading a pain
Thanks
Anthony
I am happy to let you know that a new encoded property for the title option will be included with the next R3 release of Kendo UI. This will allows the users to decide whether the content of the title will be encoded or not.
The 2018 R3 release is scheduled for mid to late September. For additional information about the features/enhancements, please refer to the Kendo UI Roadmap.
Regards,
Dimitar
Progress Telerik
Hi Dimitar
Has this update been eventually included into 2018 R3 release? If yes, could you please provide an example on how the encoding can be handled?
For 2016 version when this feature was working we used something similar to:
this.cellWindow.title(`<span style="vertical-align: top; color: red">test</span>`);
It's in the documentation now, e.g.
https://docs.telerik.com/kendo-ui/api/javascript/ui/window/configuration/title.encoded
https://dojo.telerik.com/OniYETAh
Thank you, Anthony
The trick seems to be to use
this.cellWindow.setOptions({
title: {
text: `<span style="vertical-align: top; color: red">test</span>`,
encoded: false
}
});
Is it possible to add the same property "encoded" to the another similar control, the Dialog control.
As I see, Dialod control does not support html context.
Hi Daniel,
Indeed the encoded option could also be added for the Dialog. I noticed that you have already logged a feature request regarding this in the Feedback Portal which can be used to track the status of this request:
Regards,
Dimitar
Progress Telerik
Love the Telerik and Kendo UI products and believe more people should try them? Invite a fellow developer to become a Progress customer and each of you can get a $50 Amazon gift voucher.