This is a migrated thread and some comments may be shown as answers.

Script Injection in Grid

4 Answers 171 Views
Grid
This is a migrated thread and some comments may be shown as answers.
Sanjeev
Top achievements
Rank 1
Sanjeev asked on 23 Jan 2014, 06:29 AM
Hi,
I am working for  Script injection in my project. suppose user enter some script in comment box which is free text (<script  type="text/javascript">alert('Hi')</script>). 
I used Server.HTMLEncode/HTMLDecode method to save in DB and show in text box respectively. But when I show in RadGrid with item template and Label control. It show alert instead of as text. Its working fine with simple textbox control but perhaps, issue with controls inside grid. One more thing I don't want to use ValidateRequest = false; any how as it may restrict to save such text.

Sample code I am using for Grid. I also tried in code behind with itemdatabound event of grid to bind Label.
<ItemTemplate>
        <asp:Label ID="lblComments" runat="server"   Text='<%#Server.HtmlDecode(Eval("Comments").ToString())%>' />
</ItemTemplate>

Any suggestion???? Is there any property/Method of Grid to resolve this issue.
Thanks in advance.

4 Answers, 1 is accepted

Sort by
0
Accepted
Jayesh Goyani
Top achievements
Rank 2
answered on 23 Jan 2014, 11:19 AM
Hello,

Please try with the below code snippet.

<telerik:GridBoundColumn UniqueName="Comments" DataField="Comments" HeaderText="Comments" HtmlEncode="true">
                    </telerik:GridBoundColumn>

OR

<telerik:GridTemplateColumn>
                      <ItemTemplate>
                          <asp:Label ID="lblComments" runat="server" Text='<%#Server.HtmlEncode(Eval("Comments").ToString())%>' />
                      </ItemTemplate>
                  </telerik:GridTemplateColumn>


Thanks,
Jayesh Goyani
0
Sanjeev
Top achievements
Rank 1
answered on 23 Jan 2014, 11:26 AM
Jayesh!
 thank for ur reply I ve already tried. only u included Template tag which I ve nt mentioned.
 Incase of bound column, it 'll also nt work.
0
Accepted
Konstantin Dikov
Telerik team
answered on 27 Jan 2014, 09:14 AM
Hi Sanjeev,

Please note that Jayesh have replaced Server.HtmlDecode with Server.HtmlEncode, which is the correct way for handling such values.

For your convenience I have prepared a sample page, which demonstrated that both solutions suggested by Jayesh are working as you have requested. Please refer to the attached files and see if everything is working as expected on your end too.


Regards,
Konstantin Dikov
Telerik
If you want to get updates on new releases, tips and tricks and sneak peeks at our product labs directly from the developers working on the RadControls for ASP.NET AJAX, subscribe to the blog feed now.
0
Sanjeev
Top achievements
Rank 1
answered on 27 Jan 2014, 10:02 AM
Thanks a lot Konstantin for ur reply n notifying my mistake ,  actually I was looking for some inbuilt feature from RADGrid. btw thanks a lot n I got solution to my problem.
Tags
Grid
Asked by
Sanjeev
Top achievements
Rank 1
Answers by
Jayesh Goyani
Top achievements
Rank 2
Sanjeev
Top achievements
Rank 1
Konstantin Dikov
Telerik team
Share this question
or