HtmlEncode="true" not honoured on a GridBoundColumn when using clientside data binding

9 posts, 0 answers
  1. Roatin Marth
    Roatin Marth avatar
    65 posts
    Member since:
    Nov 2007

    Posted 09 Feb 2009 Link to this post

    I have the following set on my grid:
    <MasterTableView> 
        <Columns> 
            <telerik:GridBoundColumn UniqueName="Description" DataField="Description" HtmlEncode="true" /> 
        </Columns> 
    </MasterTableView> 

    This properly escapes html entities that may exist in that field when using traditional data binding.

    However when switching to the built-in code-less clientside databinding html values fail to get escaped. Eg
    <ClientSettings> 
        <DataBinding Location="WebService.asmx" SelectMethod="GetData" /> 
    </ClientSettings> 

    This is a XSS security risk. Fix this.

    Version is 2008.3.1314.35

  2.
  3. Rob T
    Rob T avatar
    44 posts
    Member since:
    Jul 2007

    Posted 11 Feb 2009 Link to this post

    Anyone from Telerik out there?
  5. Nikolay Rusev
    Admin
    Nikolay Rusev avatar
    2289 posts

    Posted 12 Feb 2009 Link to this post

    Hello Nizar,

    Unfortunately HtmlEncode property of RadGrid doesn't apply client-side data-binding and this is by design. However if you need to escape the content when data-binding you can apply this in two places:

     - before returning your data from WebService/PageMethod
     - on OnRowDataBound client-side event and use JavaScript escape function

    I hope this helps.

    Regards,
    Nikolay
    the Telerik team

    Check out Telerik Trainer, the state of the art learning tool for Telerik products.
  7. Teodorico
    Teodorico avatar
    39 posts
    Member since:
    Feb 2009

    Posted 31 Mar 2009 Link to this post

    Hi,
    Will this be changed in the near future? Otherwise, we have to call

    System.Web.

    HttpUtility.HtmlEncode(value) for every cell data assigned to the grid.

    Thanks.

     

  8.
  9. Nikolay Rusev
    Admin
    Nikolay Rusev avatar
    2289 posts

    Posted 31 Mar 2009 Link to this post

    Hello Teodorico,

    There are no plans for porting this into RadGrid client-side databinding at this stage.
    You can use both approaches which I mentioned in my previous post.

    Sincerely yours,
    Nikolay
    the Telerik team

    Check out Telerik Trainer , the state of the art learning tool for Telerik products.
  11. Teodorico
    Teodorico avatar
    39 posts
    Member since:
    Feb 2009

    Posted 01 Apr 2009 Link to this post

    Hi Nikolay,

    I was able to get it working fine from code behind using  System.Web.HttpUtility.HtmlEncode.

    The problem with this approach is that I will have to modify the data collection already returned by the business layer, so I would probably opt for implementing this on JS.

    I hit a wall trying to use JS.

    With the following code I am able to see the data and display it modified on an alert but the grid does not reflect the change.

    function RadGrid1_RowDataBound(sender, args)

    {

          args.get_dataItem()["Name"] = escape(args.get_dataItem()["Name"]);

          alert(args.get_dataItem()["Name"]);

    }

     

    If I use something like this:

    function RadGrid1_RowDataBound(sender, args)

    {

          args.get_item().get_cell("Name").innerHTML = escape(args.get_dataItem()["Name"]);

    }

     

    I can see the modified data on the grid but encoded as %3c..., etc.

    What would be the correct approach to change the cell data on this event?

     

    Thanks.

  13. Nikolay Rusev
    Admin
    Nikolay Rusev avatar
    2289 posts

    Posted 02 Apr 2009 Link to this post

    Hello Teodorico,

    In javascript there is not such method equally to server-side System.Web.HttpUtility.HtmlEncode method.
    You can use escape(as in your code snippets) which encodes special characters, with the exception of:
    * @ - _ + . / . More information might be found here.
    If you need to perform encode such as the server method you should create your own parsing logic.

    For your convenience I am enclosing sample application which demonstrates the schema of how you can escape your business data before binding RadGrid.

    Please find it attached application to this thread.

    Kind regards,
    Nikolay
    the Telerik team

    Check out Telerik Trainer , the state of the art learning tool for Telerik products.
  15. cheeves
    cheeves avatar
    4 posts
    Member since:
    Nov 2006

    Posted 11 Oct 2011 Link to this post 

    Hi, 
if this needs to be done on the client, the jquery text method can be used - 

    function RadGrid1_RowDataBound(sender, args)
    {
       $(args.get_item().get_cell("Name")).text(args.get_dataItem()["Name"]);
    }

         
  17. Scott
    Scott avatar
    1 posts
    Member since:
    May 2014

    Posted 16 Jan 2018 in reply to Nikolay Rusev Link to this post

    This is why my company stopped using Telerik.  Workarounds aren't a solution to a bug.   If HtmlEncode doesn't work, then don't provide the attribute in the first place.  Apparently this is still broken in 2017 version and the workaround is to call a javascript function on every row load...

    It should be escaped before the page even reaches the client.

Back to Top