I am using kendo binding and want to filter all user input and be able to escape for output. Is there a value converter that has "from/to" type functionality? So that when data comes "from" user it can be filtered and when data is going "to" user it can be escaped? If there is no converter, can the binding be extended for this type of functionality?
I am aware of #: # for HTML encoding to display values. According to OWASP different encoding techniques are needed depending on the context (https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet). What other encoding techniques are available for other bindings, ie attribute?
I am aware of #: # for HTML encoding to display values. According to OWASP different encoding techniques are needed depending on the context (https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet). What other encoding techniques are available for other bindings, ie attribute?
5 Answers, 1 is accepted
0
Hi Bruce,
the #: # syntax you refer to is coming from the Kendo UI Templates. When it comes to Kendo UI MVVM, the values are manipulated through the DOM API (getAttribute/setAttribute or innerText), which means that the passed value is escaped by the browser itself.
Regards,
Petyo
Telerik
the #: # syntax you refer to is coming from the Kendo UI Templates. When it comes to Kendo UI MVVM, the values are manipulated through the DOM API (getAttribute/setAttribute or innerText), which means that the passed value is escaped by the browser itself.
Regards,
Petyo
Telerik
Join us on our journey to create the world's most complete HTML 5 UI Framework - download Kendo UI now!
0
Bruce
Top achievements
Rank 1
Rank 1
answered on 27 Jun 2014, 02:43 PM
How does this work with Firefox? I thought innerText was IE only.
0
Hi Bruce,
a feature detection for the innerText is performed here.
Regards,
Petyo
Telerik
a feature detection for the innerText is performed here.
Regards,
Petyo
Telerik
Join us on our journey to create the world's most complete HTML 5 UI Framework - download Kendo UI now!
0
Bruce
Top achievements
Rank 1
Rank 1
answered on 30 Jun 2014, 03:39 PM
How can I extend the binding to create my own data converter to filter data coming "from" user and escape it when going "to" user?
0
Hello Bruce,
The easiest way to do that would be to take the code of one of our existing bindings and tweak its implementation. You may also check the respective help article for more details.
Regards,
Petyo
Telerik
The easiest way to do that would be to take the code of one of our existing bindings and tweak its implementation. You may also check the respective help article for more details.
Regards,
Petyo
Telerik
Join us on our journey to create the world's most complete HTML 5 UI Framework - download Kendo UI now!