Is it possible to prevent script/code injection with the "Drag and Drop" feature? It seems text is encoded when displayed but executed on drag and drop. I only tested this with the Grid and TreeList components.
1 Answer, 1 is accepted
0
Nikolay
Telerik team
answered on 06 Nov 2024, 02:06 PM
Hi Daniel,
You can disable HTML encoding for the columns by setting the columns.encoded property to `false`.
Thank you for your reply, Nikolay. In my case, I do not want to disable the encoding as I don't want to allow HTML tags. For example, I don't want <b></b> to actually bold text. Any tags should just be displayed as entered.
Out of curiosity, is the script tag handled specially by the controls when encoded is set to false? I would expect it to execute in that case.
Nikolay
Telerik team
commented on 11 Nov 2024, 02:23 PM
Hi Daniel,
Thank you for the follow-up.
I investigated further and it appeared the tags should not be accepted as HTML in encoded columns. Thus, I logged this for fixing and you can rack its progress at the below links: