Kendo UI MVC Prevent Cross-Site Scripting in Hyperlinks

3 posts, 0 answers
  1. Brian
    Brian avatar
    1 posts
    Member since:
    Sep 2017

    Posted 26 Jun Link to this post

         Hello,

    In my current project we are facing some issues regarding XSS using the Editor in MVC. We already use the AntiXss library to "clean" the html posted to the server but we are facing the following difficulty.

    In the editor "Insert Hyperlink" functionality, we have been warned that a possible script can be run by inserting malicious content to the Tooltip field.

    For example look at "Hyperlink xss example.png".

    I have already reviewed the documentation Telerik provides regarding this XSS but didn't find anything related to this particular issue.

    Is there a way to remove the Tooltip field from the Insert Hyperlink form? (Using MVC, not Jquery). Or any other possible solution for this problem.

     

    Thanks

     

     

  2. Ivan Danchev
    Admin
    Ivan Danchev avatar
    1750 posts

    Posted 28 Jun Link to this post

    Hello Brian,

    Thank you for reporting this issue. We will investigate it further.

    With regard to removing the Tooltip from the Insert Hyperlink popup, you can do it in the Execute event handler, as shown below.

    Attach the handler:
    .Events(events => events.Execute("onExecute"))

    In the handler remove (or hide) the respective elements:
    function onExecute(e) {
      if(e.name == "createlink") {
        setTimeout(function() {
          $(".k-editor-dialog .k-edit-form-container .k-edit-label").eq(2).remove();
          $(".k-editor-dialog .k-edit-form-container .k-edit-field").eq(2).remove();
        }, 0);
      }
    }


    Regards,
    Ivan Danchev
    Progress Telerik
    Get quickly onboarded and successful with your Telerik and/or Kendo UI products with the Virtual Classroom free technical training, available to all active customers. Learn More.
  3. Dimitar
    Admin
    Dimitar avatar
    683 posts

    Posted 16 Jul Link to this post

    Hello Brian,

    We had addressed a similar issue in the Editor's insert hyperlink dialog in 2018 R2 SP1(2018.2.620) version. Could you verify if the version of Telerik UI for ASP.NET MVC that you are using is greater than the one specified?

    Also, after further testing the tooltip textbox, I was not able to reproduce the scenario with the mouseover event execution. Could you provide the entire text that is being set in the tooltip textbox so that I could reproduce this on my end and continue investigating?

    Regards,
    Dimitar
    Progress Telerik
    Get quickly onboarded and successful with your Telerik and/or Kendo UI products with the Virtual Classroom free technical training, available to all active customers. Learn More.
Back to Top