Rank 1
Iron
Is it possible to prevent script/code injection with the "Drag and Drop" feature? It seems text is encoded when displayed but executed on drag and drop. I only tested this with the Grid and TreeList components.
1 Answer, 1 is accepted
Hi Daniel,
You can disable HTML encoding for the columns by setting the columns.encoded property to `false`.
Dojo demo: https://dojo.telerik.com/BNHwymkp
Regards,
Nikolay
Progress Telerik
Love the Telerik and Kendo UI products and believe more people should try them? Invite a fellow developer to become a Progress customer and each of you can get a $50 Amazon gift voucher.
Rank 1
Iron
Thank you for your reply, Nikolay. In my case, I do not want to disable the encoding as I don't want to allow HTML tags. For example, I don't want <b></b> to actually bold text. Any tags should just be displayed as entered.
Out of curiosity, is the script tag handled specially by the controls when encoded is set to false? I would expect it to execute in that case.
Hi Daniel,
Thank you for the follow-up.
I investigated further and it appeared the tags should not be accepted as HTML in encoded columns. Thus, I logged this for fixing and you can rack its progress at the below links:
- GitHub: https://github.com/telerik/kendo-ui-core/issues/8038
- Feedback portal: https://feedback.telerik.com/kendo-jquery-ui/1670052-script-tag-gets-executed-on-drag-when-encoding-is-enabled-in-grid
As a token of gratitude, I have added some Telerik points to your account.
Regards,
Nikolay
Rank 1
Iron
Hi Daniel,
I am afraid the fix has not been applied to the TreeList. Here is the TreeList issue for tracking:
- GitHub: https://github.com/telerik/kendo-ui-core/issues/8153
- Feedback portal: https://feedback.telerik.com/kendo-jquery-ui/1679546-script-tag-gets-executed-on-drag-when-encoding-is-enabled-in-treelist-8038
Regards,
Nikolay