5 Answers, 1 is accepted
0
Richard Cuti
Top achievements
Rank 2
Rank 2
answered on 28 Feb 2012, 08:18 PM
A very good question. I can't seem to find an answer. We are evaluating Kendo UI for our next project and we need to be able to answer this question.
Thanks in advance...
Thanks in advance...
0
Hello,
Atanas Korchev
the Telerik team
What kind of provisions to prevent XSS and SQL Injection are you looking for? Have in mind that Kendo is a client-side framework and XSS and SQL injection are best taken care of server side.
Regards,Atanas Korchev
the Telerik team
Join us on our journey to create the world's most complete HTML 5 UI Framework - download Kendo UI now!
0
EC
Top achievements
Rank 1
Rank 1
answered on 30 Oct 2013, 09:43 AM
Hello Atanas,
From the client-side perspective, data coming from any server cannot be trusted, even when it's one of your own servers (which may be hacked).
While it is true that you need XSS protection on your server, it's certainly not a luxury to have additional protection on the client-side.
The kendo.template() function for example can be extended to filter out any unwanted <script> tags. The following code would do it:
The jQuery.parseHTML() function will strip any <script> tags...
I'm not sure what the impact is for performance when there are too many repeated template calls on the same screen, but for normal use the overhead should be minimal.
Could this kind of XSS protection be added to Kendo UI by default? Or at least be available as an option?
Best Regards,
Wannes Simons.
From the client-side perspective, data coming from any server cannot be trusted, even when it's one of your own servers (which may be hacked).
While it is true that you need XSS protection on your server, it's certainly not a luxury to have additional protection on the client-side.
The kendo.template() function for example can be extended to filter out any unwanted <script> tags. The following code would do it:
var kendoTemplate = kendo.template;kendo.template = function () { var templateFunction = kendoTemplate.apply(kendoTemplate, arguments); return function () { var htmlWithoutScripts = $.parseHTML(templateFunction.apply(templateFunction, arguments)); return $("<div></div>").html(htmlWithoutScripts).html(); }};I'm not sure what the impact is for performance when there are too many repeated template calls on the same screen, but for normal use the overhead should be minimal.
Could this kind of XSS protection be added to Kendo UI by default? Or at least be available as an option?
Best Regards,
Wannes Simons.
0
Hello,
Atanas Korchev
Telerik
We may indeed add support for such script element stripping. Do you mind logging a new feature request in our feedback portal?
Unfortunately we cannot enable such capability by default because it would be a breaking change and would affect performance. Perhaps we can make it optional or introduce a new method.
I should also add that a compromised server could render arbitrary JS which no third party JS library could prevent from executing. For example including malicious JavaScript code.
Atanas Korchev
Telerik
Join us on our journey to create the world's most complete HTML 5 UI Framework - download Kendo UI now!
0
EC
Top achievements
Rank 1
Rank 1
answered on 30 Oct 2013, 11:57 AM
Thanks Atanas,
You are right, a fully compromised server would be able to run any JavaScript :-) It's for those cases when only the database get attacked or some external content gets mixed with the data.
I've added the suggestion on the feedback forum: http://feedback.kendoui.com/forums/127393-kendo-ui-feedback/suggestions/4838380-add-cross-site-scripting-xss-prevention
Best Regards,
Wannes Simons.
You are right, a fully compromised server would be able to run any JavaScript :-) It's for those cases when only the database get attacked or some external content gets mixed with the data.
I've added the suggestion on the feedback forum: http://feedback.kendoui.com/forums/127393-kendo-ui-feedback/suggestions/4838380-add-cross-site-scripting-xss-prevention
Best Regards,
Wannes Simons.