In playing with a Kendo Grid I found that it's possible to enter Javascript code into the json dataSource and get it to execute.
This is the snippet I worked with as a proof of concept:
https://dojo.telerik.com/@andyrblank/uSAmapAV
I found this while entering data into a MVC grid for testing.
3 Answers, 1 is accepted
0
Georgi
Telerik team
answered on 06 Jun 2019, 10:42 AM
Hello Andrew,
Thanks for the sample.
However, currently the script is executed not because it is in the dataSource, but because you are closing the initial script tag, then another is opened which contains an alert. When the browser executes the second script tag, the alert is displayed. Also a JS error is thrown due to that closing tag in the middle of the products array, as the array has invalid (unfinished) declaration. As a result the grid is not initialized.
In other words, the script within the dataSource is not executed because it is in the dataSource, but because it is in a script tag and the browser executes it.
I hope this helps.
Regards,
Georgi
Progress Telerik
Get quickly onboarded and successful with your Telerik and/or Kendo UI products with the Virtual Classroom free technical training, available to all active customers.Learn More.
I made this sample because we have an MVC Kendo grid in our project that displays search results for data in our product. In testing I was entering values into a form to see if code injection was possible and with
<script></script><script>alert('pwned');</script>
entered into a form input, saved to the database and retrieved in the Kendo grid search results I noticed the code was executing. My assumption was that the Kendo Grid would be able to treat this as text but from your input is it my understanding that we will need to sanitize this as text before it gets into the data for the Kendo Grid?
Thanks again!
0
Georgi
Telerik team
answered on 10 Jun 2019, 09:20 AM
Hello Andrew,
Even if the data contains a valid script, when the script is inserted within the column cell, the content is HTML encoded by default, thus the browser will not execute the script. You could disable HTML encoding using the column.encoded setting. In other words, if column.encoded is enabled, you will not have to encode the response, however, if you disable the default encoding, you will have to encode the response before ending it to the client.
Regards,
Georgi
Progress Telerik
Get quickly onboarded and successful with your Telerik and/or Kendo UI products with the Virtual Classroom free technical training, available to all active customers.Learn More.