hello:
We use checkmax for weak sweeps,
and there are some XSS Issues for Kendo Grid.
How can I solve it?
our codes:
public ActionResult GridSearch([DataSourceRequest] DataSourceRequest request)
{
....
return Json(svc.GridSearch(request));
}
1 Answer, 1 is accepted
0
Hello Elta,
I noticed that you have posted the same query in a support ticket. Since I have already answered there, for your convenience I am posting the answer here as well.
================================
Generally speaking a best practice is to save the data from the client in the database without modifying it. However, when displaying it you should HTML encode it.
By default the grid encodes the content which is displayed within the cells, which means that if an user has submitted a script, the script will not execute but it will be displayed as a standard text. Have in mind that this encoding can be disabled by setting the column.Encoded configuration to false. Please make sure that the encoding in your grid is not disabled.
e.g.
Finally, if possible could you please provide us with a sample where an XSS occurs so we can examine it locally?
Regards,
Georgi
Progress Telerik
I noticed that you have posted the same query in a support ticket. Since I have already answered there, for your convenience I am posting the answer here as well.
================================
Generally speaking a best practice is to save the data from the client in the database without modifying it. However, when displaying it you should HTML encode it.
By default the grid encodes the content which is displayed within the cells, which means that if an user has submitted a script, the script will not execute but it will be displayed as a standard text. Have in mind that this encoding can be disabled by setting the column.Encoded configuration to false. Please make sure that the encoding in your grid is not disabled.
e.g.
columns.Bound(x => x.Field).Encoded(false);Finally, if possible could you please provide us with a sample where an XSS occurs so we can examine it locally?
Regards,
Georgi
Progress Telerik
Get quickly onboarded and successful with your Telerik and/or Kendo UI products with the Virtual Classroom free technical training, available to all active customers. Learn More.