Sanitize data from server before rendering widget - xss

1 Answer 32 Views
General Discussions Security
Vedad
Top achievements
Rank 2
Iron
Iron
Veteran
Vedad asked on 23 Dec 2021, 11:00 AM

Hi,

I have following situation:

We have desktop application and web application with angularJS and Kendo UI jquery which both use same server REST API. 

If user enters malicious code as string <script>alert("security breach")</script> through desktop application or manually through postman and API, this is saved to the database (we have cases where we have to allow such tags in db). When this is rendered on desktop, it is fine, but when I render Kendo UI tree list - script is rendered and executed.  So, my tree list is displayed, and alert is executed.

I have ngSanitize turned on application wide, but it seems not to be working on kendo ui widgets used within (we combine jquery and angular approach for widgets).

Do you have any suggestions how to approach to this? 

Thank you

Vedad
Top achievements
Rank 2
Iron
Iron
Veteran
commented on 27 Dec 2021, 03:19 PM

Hi, I did some further investigation, it seems that problem occurs only if you use template as a function, not as kendo template.

Reproducible behavior can be seen in following dojo:

https://dojo.telerik.com/OXehEKUh/2

I have pretty complex logic for the template, and it is not suitable for kendo template.

Please could you advise.

Thanks.

1 Answer, 1 is accepted

Sort by
0
Accepted
Nikolay
Telerik team
answered on 28 Dec 2021, 09:35 AM

Hi Vedad,

Thank you for updating me on the case.

Indeed when a function is used for the template you need to encode the HTML characters in the data source with the htmlEncode function:

{ id: 3, text: kendo.htmlEncode("<script>alert('aaaaaa')<\/script>"), spriteCssClass: "html" }

Regards,

Nikolay

Vedad
Top achievements
Rank 2
Iron
Iron
Veteran
commented on 28 Dec 2021, 10:56 AM | edited

Hi Nikolay, 

thank you for the prompt answer and help. This indeed solves the problem.

May I suggest you update documentation of widget(s) to make it visible immediately when one is reading about widget and options.

Also maybe you can put solution in answer instead of comment so I can mark it answered.

Thanks again and happy holidays!

Vedad

Nikolay
Telerik team
commented on 31 Dec 2021, 08:19 AM

Hi Vedad,

Thank you for the points. Indeed, I find them valid.

I just converted my last reply into an answer so you can mark it as answered.

I will also make sure this is added to the documentation.

Kind regards,

Nikolay

 

Vedad
Top achievements
Rank 2
Iron
Iron
Veteran
commented on 05 Jan 2022, 09:24 AM

Hi Nikolay, 

I marked your post as answer. 

Thanks for the help.

Cheers,

Vedad

Tags
General Discussions Security
Asked by
Vedad
Top achievements
Rank 2
Iron
Iron
Veteran
Answers by
Nikolay
Telerik team
Share this question
or