This is a migrated thread and some comments may be shown as answers.

XSS prevention

5 Answers 322 Views
MVVM
This is a migrated thread and some comments may be shown as answers.
Bruce
Top achievements
Rank 1
Bruce asked on 25 Jun 2014, 07:37 PM
I am using kendo binding and want to filter all user input and be able to escape for output.  Is there a value converter that has "from/to" type functionality?  So that when data comes "from" user it can be filtered and when data is going "to" user it can be escaped?  If there is no converter, can the binding be extended for this type of functionality?
I am aware of #: # for HTML encoding to display values.  According to OWASP different encoding techniques are needed depending on the context (https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet).  What other encoding techniques are available for other bindings, ie attribute?


5 Answers, 1 is accepted

Sort by
0
Petyo
Telerik team
answered on 26 Jun 2014, 01:25 PM
Hi Bruce,

the #: # syntax you refer to is coming from the Kendo UI Templates. When it comes to Kendo UI MVVM, the values are manipulated through the DOM API (getAttribute/setAttribute or innerText), which means that the passed value is escaped by the browser itself. 

Regards,
Petyo
Telerik
 
Join us on our journey to create the world's most complete HTML 5 UI Framework - download Kendo UI now!
 
0
Bruce
Top achievements
Rank 1
answered on 27 Jun 2014, 02:43 PM
How does this work with Firefox?  I thought innerText was IE only.
0
Petyo
Telerik team
answered on 28 Jun 2014, 09:06 AM
Hi Bruce,

a feature detection for the innerText is performed here.

Regards,
Petyo
Telerik
 
Join us on our journey to create the world's most complete HTML 5 UI Framework - download Kendo UI now!
 
0
Bruce
Top achievements
Rank 1
answered on 30 Jun 2014, 03:39 PM
How can I extend the binding to create my own data converter to filter data coming "from" user and escape it when going "to" user?
0
Petyo
Telerik team
answered on 02 Jul 2014, 07:41 AM
Hello Bruce,

The easiest way to do that would be to take the code of one of our existing bindings and tweak its implementation. You may also check the respective help article for more details.

Regards,
Petyo
Telerik
 
Join us on our journey to create the world's most complete HTML 5 UI Framework - download Kendo UI now!
 
Tags
MVVM
Asked by
Bruce
Top achievements
Rank 1
Answers by
Petyo
Telerik team
Bruce
Top achievements
Rank 1
Share this question
or