This is a migrated thread and some comments may be shown as answers.

HtmlEncode="true" not honoured on a GridBoundColumn when using clientside data binding

8 Answers 829 Views
Grid
This is a migrated thread and some comments may be shown as answers.
Roatin Marth
Top achievements
Rank 1
Roatin Marth asked on 09 Feb 2009, 09:30 PM
I have the following set on my grid:
<MasterTableView> 
    <Columns> 
        <telerik:GridBoundColumn UniqueName="Description" DataField="Description" HtmlEncode="true" /> 
    </Columns> 
</MasterTableView> 

This properly escapes html entities that may exist in that field when using traditional data binding.

However when switching to the built-in code-less clientside databinding html values fail to get escaped. Eg
<ClientSettings> 
    <DataBinding Location="WebService.asmx" SelectMethod="GetData" /> 
</ClientSettings> 

This is a XSS security risk. Fix this.

Version is 2008.3.1314.35

8 Answers, 1 is accepted

Sort by
0
Rob T
Top achievements
Rank 1
answered on 11 Feb 2009, 08:20 PM
Anyone from Telerik out there?
0
Nikolay Rusev
Telerik team
answered on 12 Feb 2009, 11:59 AM
Hello Nizar,

Unfortunately HtmlEncode property of RadGrid doesn't apply client-side data-binding and this is by design. However if you need to escape the content when data-binding you can apply this in two places:

 - before returning your data from WebService/PageMethod
 - on OnRowDataBound client-side event and use JavaScript escape function

I hope this helps.

Regards,
Nikolay
the Telerik team

Check out Telerik Trainer, the state of the art learning tool for Telerik products.
0
Teodorico
Top achievements
Rank 1
answered on 01 Apr 2009, 03:26 AM
Hi,
Will this be changed in the near future? Otherwise, we have to call

System.Web.

HttpUtility.HtmlEncode(value) for every cell data assigned to the grid.

Thanks.

 

0
Nikolay Rusev
Telerik team
answered on 01 Apr 2009, 04:46 AM
Hello Teodorico,

There are no plans for porting this into RadGrid client-side databinding at this stage.
You can use both approaches which I mentioned in my previous post.

Sincerely yours,
Nikolay
the Telerik team

Check out Telerik Trainer , the state of the art learning tool for Telerik products.
0
Teodorico
Top achievements
Rank 1
answered on 02 Apr 2009, 12:03 AM

Hi Nikolay,

I was able to get it working fine from code behind using  System.Web.HttpUtility.HtmlEncode.

The problem with this approach is that I will have to modify the data collection already returned by the business layer, so I would probably opt for implementing this on JS.

I hit a wall trying to use JS.

With the following code I am able to see the data and display it modified on an alert but the grid does not reflect the change.

function RadGrid1_RowDataBound(sender, args)

{

      args.get_dataItem()["Name"] = escape(args.get_dataItem()["Name"]);

      alert(args.get_dataItem()["Name"]);

}

 

If I use something like this:

function RadGrid1_RowDataBound(sender, args)

{

      args.get_item().get_cell("Name").innerHTML = escape(args.get_dataItem()["Name"]);

}

 

I can see the modified data on the grid but encoded as %3c..., etc.

What would be the correct approach to change the cell data on this event?

 

Thanks.

0
Nikolay Rusev
Telerik team
answered on 02 Apr 2009, 05:03 PM
Hello Teodorico,

In javascript there is not such method equally to server-side System.Web.HttpUtility.HtmlEncode method.
You can use escape(as in your code snippets) which encodes special characters, with the exception of:
* @ - _ + . / . More information might be found here.
If you need to perform encode such as the server method you should create your own parsing logic.

For your convenience I am enclosing sample application which demonstrates the schema of how you can escape your business data before binding RadGrid.

Please find it attached application to this thread.

Kind regards,
Nikolay
the Telerik team

Check out Telerik Trainer , the state of the art learning tool for Telerik products.
0
cheeves
Top achievements
Rank 1
answered on 11 Oct 2011, 10:38 AM

Hi, if this needs to be done on the client, the jquery text method can be used -

function RadGrid1_RowDataBound(sender, args)
{
   $(args.get_item().get_cell("Name")).text(args.get_dataItem()["Name"]);
}

     
0
Scott
Top achievements
Rank 1
answered on 17 Jan 2018, 12:15 AM

This is why my company stopped using Telerik.  Workarounds aren't a solution to a bug.   If HtmlEncode doesn't work, then don't provide the attribute in the first place.  Apparently this is still broken in 2017 version and the workaround is to call a javascript function on every row load...

It should be escaped before the page even reaches the client.

Tags
Grid
Asked by
Roatin Marth
Top achievements
Rank 1
Answers by
Rob T
Top achievements
Rank 1
Nikolay Rusev
Telerik team
Teodorico
Top achievements
Rank 1
cheeves
Top achievements
Rank 1
Scott
Top achievements
Rank 1
Share this question
or