Hello,
In my current project we are facing some issues regarding XSS using the Editor in MVC. We already use the AntiXss library to "clean" the html posted to the server but we are facing the following difficulty.
In the editor "Insert Hyperlink" functionality, we have been warned that a possible script can be run by inserting malicious content to the Tooltip field.
For example look at "Hyperlink xss example.png".
I have already reviewed the documentation Telerik provides regarding this XSS but didn't find anything related to this particular issue.
Is there a way to remove the Tooltip field from the Insert Hyperlink form? (Using MVC, not Jquery). Or any other possible solution for this problem.
Thanks
2 Answers, 1 is accepted
0
Hello Brian,
Thank you for reporting this issue. We will investigate it further.
With regard to removing the Tooltip from the Insert Hyperlink popup, you can do it in the Execute event handler, as shown below.
Attach the handler:
In the handler remove (or hide) the respective elements:
Regards,
Ivan Danchev
Progress Telerik
Thank you for reporting this issue. We will investigate it further.
With regard to removing the Tooltip from the Insert Hyperlink popup, you can do it in the Execute event handler, as shown below.
Attach the handler:
.Events(events => events.Execute("onExecute"))In the handler remove (or hide) the respective elements:
function onExecute(e) { if(e.name == "createlink") { setTimeout(function() { $(".k-editor-dialog .k-edit-form-container .k-edit-label").eq(2).remove(); $(".k-editor-dialog .k-edit-form-container .k-edit-field").eq(2).remove(); }, 0); }}Regards,
Ivan Danchev
Progress Telerik
Get quickly onboarded and successful with your Telerik and/or Kendo UI products with the Virtual Classroom free technical training, available to all active customers. Learn More.
0
Hello Brian,
We had addressed a similar issue in the Editor's insert hyperlink dialog in 2018 R2 SP1(2018.2.620) version. Could you verify if the version of Telerik UI for ASP.NET MVC that you are using is greater than the one specified?
Also, after further testing the tooltip textbox, I was not able to reproduce the scenario with the mouseover event execution. Could you provide the entire text that is being set in the tooltip textbox so that I could reproduce this on my end and continue investigating?
Regards,
Dimitar
Progress Telerik
We had addressed a similar issue in the Editor's insert hyperlink dialog in 2018 R2 SP1(2018.2.620) version. Could you verify if the version of Telerik UI for ASP.NET MVC that you are using is greater than the one specified?
Also, after further testing the tooltip textbox, I was not able to reproduce the scenario with the mouseover event execution. Could you provide the entire text that is being set in the tooltip textbox so that I could reproduce this on my end and continue investigating?
Regards,
Dimitar
Progress Telerik
Get quickly onboarded and successful with your Telerik and/or Kendo UI products with the Virtual Classroom free technical training, available to all active customers. Learn More.