Rank 1
| <MasterTableView> |
| <Columns> |
| <telerik:GridBoundColumn UniqueName="Description" DataField="Description" HtmlEncode="true" /> |
| </Columns> |
| </MasterTableView> |
This properly escapes html entities that may exist in that field when using traditional data binding.
However when switching to the built-in code-less clientside databinding html values fail to get escaped. Eg
| <ClientSettings> |
| <DataBinding Location="WebService.asmx" SelectMethod="GetData" /> |
| </ClientSettings> |
This is a XSS security risk. Fix this.
Version is 2008.3.1314.35
8 Answers, 1 is accepted
Rank 1
Unfortunately HtmlEncode property of RadGrid doesn't apply client-side data-binding and this is by design. However if you need to escape the content when data-binding you can apply this in two places:
- before returning your data from WebService/PageMethod
- on OnRowDataBound client-side event and use JavaScript escape function
I hope this helps.
Regards,
Nikolay
the Telerik team
Check out Telerik Trainer, the state of the art learning tool for Telerik products.
Rank 1
Will this be changed in the near future? Otherwise, we have to call
System.Web.
HttpUtility.HtmlEncode(value) for every cell data assigned to the grid.
Thanks.
There are no plans for porting this into RadGrid client-side databinding at this stage.
You can use both approaches which I mentioned in my previous post.
Sincerely yours,
Nikolay
the Telerik team
Check out Telerik Trainer , the state of the art learning tool for Telerik products.
Rank 1
Hi Nikolay,
I was able to get it working fine from code behind using System.Web.HttpUtility.HtmlEncode.
The problem with this approach is that I will have to modify the data collection already returned by the business layer, so I would probably opt for implementing this on JS.
I hit a wall trying to use JS.
With the following code I am able to see the data and display it modified on an alert but the grid does not reflect the change.
function RadGrid1_RowDataBound(sender, args)
{
args.get_dataItem()["Name"] = escape(args.get_dataItem()["Name"]);
alert(args.get_dataItem()["Name"]);
}
If I use something like this:
function RadGrid1_RowDataBound(sender, args)
{
args.get_item().get_cell("Name").innerHTML = escape(args.get_dataItem()["Name"]);
}
I can see the modified data on the grid but encoded as %3c..., etc.
What would be the correct approach to change the cell data on this event?
Thanks.
In javascript there is not such method equally to server-side System.Web.HttpUtility.HtmlEncode method.
You can use escape(as in your code snippets) which encodes special characters, with the exception of:
* @ - _ + . / . More information might be found here.
If you need to perform encode such as the server method you should create your own parsing logic.
For your convenience I am enclosing sample application which demonstrates the schema of how you can escape your business data before binding RadGrid.
Please find it attached application to this thread.
Kind regards,
Nikolay
the Telerik team
Check out Telerik Trainer , the state of the art learning tool for Telerik products.
Rank 1
Hi,
if this needs to be done on the client, the jquery text method can be used -
function RadGrid1_RowDataBound(sender, args){ $(args.get_item().get_cell("Name")).text(args.get_dataItem()["Name"]);}
This is why my company stopped using Telerik. Workarounds aren't a solution to a bug. If HtmlEncode doesn't work, then don't provide the attribute in the first place. Apparently this is still broken in 2017 version and the workaround is to call a javascript function on every row load...
It should be escaped before the page even reaches the client.