XSS Issues

2 posts, 0 answers
  1. ELTA愛爾達科技
    ELTA愛爾達科技 avatar
    1 posts
    Member since:
    Apr 2018

    Posted 03 Oct Link to this post

    hello:

    We use checkmax for weak sweeps,

    and there are some XSS Issues for Kendo Grid.

    How can I solve it?

     

    our codes:

    public ActionResult GridSearch([DataSourceRequest] DataSourceRequest request)

    {
      ....
      return Json(svc.GridSearch(request));

    }

     

  2. Georgi
    Admin
    Georgi avatar
    383 posts

    Posted 05 Oct Link to this post

    Hello Elta,

    I noticed that you have posted the same query in a support ticket. Since I have already answered there, for your convenience I am posting the answer here as well.

    ================================

    Generally speaking a best practice is to save the data from the client in the database without modifying it. However, when displaying it you should HTML encode it.

    By default the grid encodes the content which is displayed within the cells, which means that if an user has submitted a script, the script will not execute but it will be displayed as a standard text. Have in mind that this encoding can be disabled by setting the column.Encoded configuration to false. Please make sure that the encoding in your grid is not disabled.

    e.g.

    columns.Bound(x => x.Field).Encoded(false);

    Finally, if possible could you please provide us with a sample where an XSS occurs so we can examine it locally?


    Regards,
    Georgi
    Progress Telerik
    Get quickly onboarded and successful with your Telerik and/or Kendo UI products with the Virtual Classroom free technical training, available to all active customers. Learn More.
Back to Top