This is a migrated thread and some comments may be shown as answers.
Unbound Columns Sent to Browser
3 Answers 21 Views
This is a migrated thread and some comments may be shown as answers.
This question is locked. New answers and comments are not allowed.
Louis
Top achievements
Rank 1
Louis asked on 28 Jun 2011, 02:04 PM
Using Fiddler to inspect for some other issues I noticed that when data is sent to the MVC Grid control it includes columns that are in the model but not bound to the grid.  These unbound columns do not contain their data values but still represent information leakage and effectively give away information about our schema.
Example:
-Strongly typed model has properties A,B,C,D,E,F
-Bind columns A,B,C to MVC Grid for display
-HTTP Response sends data to MVC Grid containing columns A,B,C,D,E,F where A,B,C have values and are displayed and D,E,F do not contain data values and are not displayed in the control.  (but are viewable in response or in page source)
-Columns D,E,F are marked as ScaffoldColumn(false) in the model and Hidden(true), Visible(false) in the grid control but still get sent in the response.

The best, most secure behavior would be for columns that are not included in the binding to not be sent to the browser/UI.  In particular observing the ScaffoldColumn(false) attribute on the model would be optimal and in such cases those columns should not be included in server responses.

Is there a way to accomplish this currently and if not can an enhancement to the controls be included in the near future?

3 Answers, 1 is accepted

Sort by
0
Demon
Top achievements
Rank 1
answered on 28 Jun 2011, 02:15 PM
Hi, you can use a viewmodel to prevent unwanted information from being sent to the client.
0
Louis
Top achievements
Rank 1
answered on 28 Jun 2011, 02:24 PM
I am looking for a solution that doesn't require a pattern where we need to create 2 (or more) versions of every model and do work to map data between them (ala Automapper or the like).  There will be more complex cases that will require viewmodels but all that extra work shouldn't be required if I simply have 1 or 2 sensitive columns I want to keep from the browser.

In "old school' databinding with ASP.Net server controls this was a simple task to accomplish (only binding and sending the data columns desired).
0
Atanas Korchev
Telerik team
answered on 29 Jun 2011, 09:26 AM
Hi Louis,

 Old school data binding in ASP.NET was purely server side. The model was never serialized to the client-side. The same thing will happen if you use the server side binding of the Telerik grid for ASP.NET MVC.

 In ajax binding scenarios the datasource of the grid is serialized by the JavaScriptSerializer and returned as JsonResult. The only way to not serialize a property of the bound model is to decorate it with the ScriptIgnoreAttribute.

Regards,
Atanas Korchev
the Telerik team
Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
Tags
Grid
Asked by
Louis
Top achievements
Rank 1
Answers by
Demon
Top achievements
Rank 1
Louis
Top achievements
Rank 1
Atanas Korchev
Telerik team
Share this question
or