This is a migrated thread and some comments may be shown as answers.

Script Execution from data in Kendo Grid

3 Answers 74 Views
Grid
This is a migrated thread and some comments may be shown as answers.
Andrew
Top achievements
Rank 1
Andrew asked on 04 Jun 2019, 02:33 PM

In playing with a Kendo Grid I found that it's possible to enter Javascript code into the json dataSource and get it to execute.

This is the snippet I worked with as a proof of concept:

https://dojo.telerik.com/@andyrblank/uSAmapAV

I found this while entering data into a MVC grid for testing.

3 Answers, 1 is accepted

Sort by
0
Georgi
Telerik team
answered on 06 Jun 2019, 10:42 AM
Hello Andrew,

Thanks for the sample.

However, currently the script is executed not because it is in the dataSource, but because you are closing the initial script tag, then another is opened which contains an alert. When the browser executes the second script tag, the alert is displayed. Also a JS error is thrown due to that closing tag in the middle of the products array, as the array has invalid (unfinished) declaration. As a result the grid is not initialized.

In other words, the script within the dataSource is not executed because it is in the dataSource, but because it is in a script tag and the browser executes it.

I hope this helps.


Regards,
Georgi
Progress Telerik
Get quickly onboarded and successful with your Telerik and/or Kendo UI products with the Virtual Classroom free technical training, available to all active customers. Learn More.
0
Andrew
Top achievements
Rank 1
answered on 06 Jun 2019, 05:31 PM

Thanks for looking into this!

I made this sample because we have an MVC Kendo grid in our project that displays search results for data in our product. In testing I was entering values into a form to see if code injection was possible and with 

<script></script><script>alert('pwned');</script>

entered into a form input, saved to the database and retrieved in the Kendo grid search results I noticed the code was executing. My assumption was that the Kendo Grid would be able to treat this as text but from your input is it my understanding that we will need to sanitize this as text before it gets into the data for the Kendo Grid?

Thanks again!

0
Georgi
Telerik team
answered on 10 Jun 2019, 09:20 AM
Hello Andrew,

Even if the data contains a valid script, when the script is inserted within the column cell, the content is HTML encoded by default, thus the browser will not execute the script. You could disable HTML encoding using the column.encoded setting. In other words, if column.encoded is enabled, you will not have to encode the response, however, if you disable the default encoding, you will have to encode the response before ending it to the client.


Regards,
Georgi
Progress Telerik
Get quickly onboarded and successful with your Telerik and/or Kendo UI products with the Virtual Classroom free technical training, available to all active customers. Learn More.
Tags
Grid
Asked by
Andrew
Top achievements
Rank 1
Answers by
Georgi
Telerik team
Andrew
Top achievements
Rank 1
Share this question
or