Paste invalid data into RadNumericTextBox

4 posts, 0 answers
  1. Phil
    Phil avatar
    273 posts
    Member since:
    Jul 2008

    Posted 06 Feb 2012 Link to this post

    Hi:

    I was testing a RadNumericTextBox.  It is somewhat declared as follows:
    <telerik:RadNumericTextBox ID="quantityTextBox" Runat="server" MaxLength="4"
        MaxValue="9999" MinValue="1" Text='<%# Bind("Quantity") %>' Width="60px"
        OnTextChanged="quantityTextBox_TextChanged" AutoPostBack="True"
        />
    I was testing for XSS (cross site scripting) and was able to paste <scr into the textbox.  I was not able to type the value, but surprisingly, I was able to paste non-numeric data.

    Phil
  2.
  3. Kevin
    Kevin avatar
    360 posts
    Member since:
    Jul 2012

    Posted 07 Feb 2012 Link to this post

    Hello Phil,

    It's true that you can paste the value in, but after the control loses focus, it gets removed. At least that is how it works on the demo site.
  5. Phil
    Phil avatar
    273 posts
    Member since:
    Jul 2008

    Posted 07 Feb 2012 Link to this post

    Hi:

    I have an OnChange event on the text-box and it is processed.  It is not the expected behavior.  Not good.

    Phil
  7. Elliott
    Elliott avatar
    392 posts
    Member since:
    May 2010

    Posted 08 Feb 2012 Link to this post

    is there an OnError client event?  you can set_value('') at that point
  8.
Back to Top