html in window.title

11 posts, 0 answers
  1. Morten
    Morten avatar
    349 posts
    Member since:
    Jul 2012

    Posted 12 Apr 2017 Link to this post

    after upgrading to 2017 the html I have in my title property is not rendered as html.

    Has this changed?

    I used to have something like this:

             filters.kendoWindow({

                width: "210px",
                height: "470px",
                title: "Filters <span class='ise-window-title-post-fix'>drag me</span>",
                position: { top: 100, left: 5 },
                pinned: true,
                visible: false,

  2. Dimitar
    Admin
    Dimitar avatar
    796 posts

    Posted 12 Apr 2017 Link to this post

    Hello Morten,

    The observed change has been introduced after the last official Service pack (R1 SP1 2017.1.223) and it could be observed in our latest internal builds. At this point adding HTML to Kendo UI window's title property is no longer supported. This change has been introduced in order to prevent any possibility of a script injection when using html in the widget title.

    If this is important feature that you want to have, you can visit our Feedback portal and create a new feature request for Window title template.

    As a workaround I can suggest you using jQuery API to prepend/append the needed html:
    $(".k-window-title").append("<span class='custom'>drag me</div>");

    If you have any other questions, please do not hesitate to contact us.

    Regards,
    Dimitar
    Telerik by Progress
    Try our brand new, jQuery-free Angular 2 components built from ground-up which deliver the business app essential building blocks - a grid component, data visualization (charts) and form elements.
  3. tlaguz
    tlaguz avatar
    3 posts
    Member since:
    Jun 2015

    Posted 01 Jun 2017 in reply to Dimitar Link to this post

    Hello

    Dimitar said:This change has been introduced in order to prevent any possibility of a script injection when using html in the widget title.

    In what scenario if I may ask?

    This completely broke our app, because we have icon on every windows' titlebar.

  4. Dimitar
    Admin
    Dimitar avatar
    796 posts

    Posted 02 Jun 2017 Link to this post

    Hello Tomasz,

    As stated in the Window documentation about the title property, it accepts only plain text as a parameter and the use of HTML has never been suggested (this is a design flaw).

    The issue was reported in our bug tracker and it was fixed in the 2017 R1 release. This is a design concept that all of the Kendo UI widgets should follow and if you come across any other vulnerabilities, you can report them in our GitHub repository.

    Concerning your question about a specific scenario where this can lead to a malicious script being injected, take for example the use of the title in a CMS (Content Management System) solution.

    I understand that such changes cause issues with certain application implementations. But such fixes and improvements are inevitable in terms of improving the products we offer. 

    In case you are experiencing any further problems with the solution provided in the previous post, you can open a new support ticket, so that we can assist you on the case you have.

    Regards,
    Dimitar
    Progress Telerik
    Try our brand new, jQuery-free Angular 2 components built from ground-up which deliver the business app essential building blocks - a grid component, data visualization (charts) and form elements.
  5. Anthony
    Anthony avatar
    126 posts
    Member since:
    Jun 2013

    Posted 30 May 2018 Link to this post

    As some time has passed what have others done about this? We've just upgraded and hit the same issue.

    I can't say I understand the issue given that we can switch off encoding in other places, e.g. in kendoGrids.

    It should be optional and on by default, if the text doesn't contains any text coming from the user then it's safe

     

  6. Dimitar
    Admin
    Dimitar avatar
    796 posts

    Posted 31 May 2018 Link to this post

    Hello Anthony,

    I have logged a new enhancement issue in the Kendo UI GitHub repository for enhancing the title() option of the Window. You can start tracking it form item #4284.

    Regards,
    Dimitar
    Progress Telerik
    Try our brand new, jQuery-free Angular components built from ground-up which deliver the business app essential building blocks - a grid component, data visualization (charts) and form elements.
  7. Anthony
    Anthony avatar
    126 posts
    Member since:
    Jun 2013

    Posted 05 Jul 2018 in reply to Dimitar Link to this post

    Hi

     I see that #4284 has just been closed. Is that because it's been done or because you're not going to do it?

    It's still an issue for us, we've had to manually change your code to enable this, which makes upgrading a pain

     

    Thanks

    Anthony

  8. Dimitar
    Admin
    Dimitar avatar
    796 posts

    Posted 05 Jul 2018 Link to this post

    Hello Anthony,

    I am happy to let you know that a new encoded property for the title option will be included with the next R3 release of Kendo UI. This will allows the users to decide whether the content of the title will be encoded or not.  

    The 2018 R3 release is scheduled for mid to late September. For additional information about the features/enhancements, please refer to the Kendo UI Roadmap.

    Regards,
    Dimitar
    Progress Telerik
    Try our brand new, jQuery-free Angular components built from ground-up which deliver the business app essential building blocks - a grid component, data visualization (charts) and form elements.
  9. Tomi
    Tomi avatar
    2 posts
    Member since:
    May 2013

    Posted 02 Dec 2018 in reply to Dimitar Link to this post

    Hi Dimitar

    Has this update been eventually included into 2018 R3 release? If yes, could you please provide an example on how the encoding can be handled?

    For 2016 version when this feature was working we used something similar to:

    this.cellWindow.title(`<span style="vertical-align: top; color: red">test</span>`);

  10. Anthony
    Anthony avatar
    126 posts
    Member since:
    Jun 2013

    Posted 03 Dec 2018 in reply to Tomi Link to this post

    It's in the documentation now, e.g.

    https://docs.telerik.com/kendo-ui/api/javascript/ui/window/configuration/title.encoded

    https://dojo.telerik.com/OniYETAh

  11. Tomi
    Tomi avatar
    2 posts
    Member since:
    May 2013

    Posted 03 Dec 2018 in reply to Anthony Link to this post

    Thank you, Anthony

    The trick seems to be to use

                            this.cellWindow.setOptions({
                                title: {
                                    text: `<span style="vertical-align: top; color: red">test</span>`,
                                    encoded: false
                                }
                            }); 

Back to Top