I noticed that you have posted the same query in a support ticket. Since I have already answered there, for your convenience I am posting the answer here as well.
Generally speaking a best practice is to save the data from the client in the database without modifying it. However, when displaying it you should HTML encode
By default the grid encodes the content which is displayed within the cells, which means that if an user has submitted a script, the script will not execute but it will be displayed as a standard text. Have in mind that this encoding can be disabled by setting the column.Encoded configuration to false. Please make sure that the encoding in your grid is not disabled.
columns.Bound(x => x.Field).Encoded(
Finally, if possible could you please provide us with a sample where an XSS occurs so we can examine it locally?
Get quickly onboarded and successful
with your Telerik and/or Kendo UI products with the Virtual Classroom free technical training, available to all active customers. Learn More.