XSS and SQL Injection

6 posts, 0 answers
  1. Jack
    Jack avatar
    102 posts
    Member since:
    Jan 2007

    Posted 22 Sep 2011 Link to this post

    I did not yet dwelve into the code.
    Any provision in the framework to prevent XSS and SQL Injection?
    Otherwise, what are recommended best practices?
  2. Richard Cuti
    Richard Cuti avatar
    5 posts
    Member since:
    Mar 2007

    Posted 28 Feb 2012 Link to this post

    A very good question. I can't seem to find an answer. We are evaluating Kendo UI for our next project and we need to be able to answer this question.

    Thanks in advance...
  3. Atanas Korchev
    Admin
    Atanas Korchev avatar
    8462 posts

    Posted 29 Feb 2012 Link to this post

    Hello,

    What kind of provisions to prevent XSS and SQL Injection are you looking for? Have in mind that Kendo is a client-side framework and XSS and SQL injection are best taken care of server side. 

    Regards,
    Atanas Korchev
    the Telerik team
    Join us on our journey to create the world's most complete HTML 5 UI Framework - download Kendo UI now!
  4. EC
    EC avatar
    5 posts
    Member since:
    Mar 2013

    Posted 30 Oct 2013 Link to this post

    Hello Atanas,

    From the client-side perspective, data coming from any server cannot be trusted, even when it's one of your own servers (which may be hacked).
    While it is true that you need XSS protection on your server, it's certainly not a luxury to have additional protection on the client-side.

    The kendo.template() function for example can be extended to filter out any unwanted <script> tags. The following code would do it:
    var kendoTemplate = kendo.template;
    kendo.template = function () {
        var templateFunction = kendoTemplate.apply(kendoTemplate, arguments);
        return function () {
            var htmlWithoutScripts = $.parseHTML(templateFunction.apply(templateFunction, arguments));
            return $("<div></div>").html(htmlWithoutScripts).html();
        }
    };
    The jQuery.parseHTML() function will strip any <script> tags...
    I'm not sure what the impact is for performance when there are too many repeated template calls on the same screen, but for normal use the overhead should be minimal.
    Could this kind of XSS protection be added to Kendo UI by default? Or at least be available as an option?

    Best Regards,
    Wannes Simons.
  5. Atanas Korchev
    Admin
    Atanas Korchev avatar
    8462 posts

    Posted 30 Oct 2013 Link to this post

    Hello,

    We may indeed add support for such script element stripping. Do you mind logging a new feature request in our feedback portal?

     Unfortunately we cannot enable such capability by default because it would be a breaking change and would affect performance. Perhaps we can make it optional or introduce a new method.

     I should also add that a compromised server could render arbitrary JS which no third party JS library could prevent from executing. For example including malicious JavaScript code.

    Regards,
    Atanas Korchev
    Telerik
    Join us on our journey to create the world's most complete HTML 5 UI Framework - download Kendo UI now!
  6. EC
    EC avatar
    5 posts
    Member since:
    Mar 2013

    Posted 30 Oct 2013 Link to this post

    Thanks Atanas,

    You are right, a fully compromised server would be able to run any JavaScript :-) It's for those cases when only the database get attacked or some external content gets mixed with the data.

    I've added the suggestion on the feedback forum: http://feedback.kendoui.com/forums/127393-kendo-ui-feedback/suggestions/4838380-add-cross-site-scripting-xss-prevention

    Best Regards,
    Wannes Simons.
Back to Top