Is it possible to do script/code injection with the "Drag and Drop" feature?

1 Answer 30 Views
Drag and Drop Grid Security TreeList
Daniel
Top achievements
Rank 1
Iron
Daniel asked on 01 Nov 2024, 04:33 PM | edited on 01 Nov 2024, 05:22 PM

Is it possible to prevent script/code injection with the "Drag and Drop" feature? It seems text is encoded when displayed but executed on drag and drop. I only tested this with the Grid and TreeList components.

 

 

1 Answer, 1 is accepted

Sort by
0
Nikolay
Telerik team
answered on 06 Nov 2024, 02:06 PM

Hi Daniel,

You can disable HTML encoding for the columns by setting the columns.encoded property to `false`.

Dojo demo: https://dojo.telerik.com/BNHwymkp

Regards,
Nikolay
Progress Telerik

Love the Telerik and Kendo UI products and believe more people should try them? Invite a fellow developer to become a Progress customer and each of you can get a $50 Amazon gift voucher.

Daniel
Top achievements
Rank 1
Iron
commented on 06 Nov 2024, 04:53 PM

Thank you for your reply, Nikolay. In my case, I do not want to disable the encoding as I don't want to allow HTML tags. For example, I don't want <b></b> to actually bold text. Any tags should just be displayed as entered.

 

Out of curiosity, is the script tag handled specially by the controls when encoded is set to false? I would expect it to execute in that case.

Nikolay
Telerik team
commented on 11 Nov 2024, 02:23 PM

Hi Daniel,

Thank you for the follow-up.

I investigated further and it appeared the tags should not be accepted as HTML in encoded columns. Thus, I logged this for fixing and you can rack its progress at the below links:

As a token of gratitude, I have added some Telerik points to your account.

Regards,

Nikolay

 

 

Tags
Drag and Drop Grid Security TreeList
Asked by
Daniel
Top achievements
Rank 1
Iron
Answers by
Nikolay
Telerik team
Share this question
or