Radgrid Excel Export Vulnerabilities

1 Answer 28 Views
Grid Security
Dennis
Top achievements
Rank 1
Dennis asked on 30 Dec 2021, 08:14 AM

Hi 

Im using Radgrid ExportToExcel() but getting this vulnerability caused the exported file to be broken 

is there any workaround for this?

1 Answer, 1 is accepted

Sort by
0
Attila Antal
Telerik team
answered on 03 Jan 2022, 11:05 AM

Hi Dennis,

RadGrid by default will display HTML code as-is in the Datasource. Because of that, the default export functionality will export to HTML-Based excel and as a result HTML script will be exported the same way into the document. If the data source data contains malicious scripts, they will be executed even if the Grid is loaded on the page not only in the exported excel file.

 

To prevent that, you will need to do one of the following:

a) The first and most important is to avoid having HTML content in the data source.

b) Encode the data before displaying it by setting the HtmlEncode property of the Grid columns to true:

<telerik:GridBoundColumn HtmlEncode="true"></telerik:GridBoundColumn>

c) You can also export to the latest version of Excel (Office Open XML - XSLX) by setting the ExportSettings -> Excel-Format to XLSX

<telerik:RadGrid ID="RadGrid1" runat="server"> 
    <ExportSettings>
        <Excel Format="Xlsx" />
    </ExportSettings>
</telerik:RadGrid>

 

I hope this will be helpful.

 

Regards,
Attila Antal
Progress Telerik

Virtual Classroom, the free self-paced technical training that gets you up to speed with Telerik and Kendo UI products quickly just got a fresh new look + new and improved content including a brand new Blazor course! Check it out at https://learn.telerik.com/.

Tags
Grid Security
Asked by
Dennis
Top achievements
Rank 1
Answers by
Attila Antal
Telerik team
Share this question
or