Hi
Due to PT testing on our code, we found an issue with Rad labels that executing a JS code.In order to solve this issue, I was trying to set the HtmlEncode property to true from JS with no success,
Cause I'm trying to avoid changing this property for each web form manually.
The default value for this property is false.
So I need to know if there is a client-side API for this property?
If not, any other suggestions to solve this breach with code and not manually?
Thanks
Merav
Hi Merav,
RadLabel is a very lightweight component and it does not offer its own client-side API.
Since the control is rendered as a standard <label> element on the page, you can loop through all <label> elements on the page and encode their values:
<script type="text/javascript"> function pageLoad() { // Get all label elements on the page var labels = document.getElementsByTagName("label"); // Loop through each label and encode its inner text for (var i = 0; i < labels.length; i++) { labels[i].innerText = $telerik.htmlEncode(labels[i].innerText); } } </script>You already mentioned wanting to avoid manually setting the HtmlEncode server property for each form. So a different server-side approach is to loop through controls on the server-side (during page load or init) and set the property for all RadLabel controls. This would be a global change.
foreach (Control control in Page.Controls) { if (control is RadLabel) { ((RadLabel)control).HtmlEncode = true; } }Thanks a lot!
I will try
Hi Rumen.
I was trying to add the code to the JS and also to the server side,
But I wasn't able to solve this issue.
Maybe I can't find the right event.
The data in the DB that need to be Html Encoded is: <img src="xss" onerror="alert(123)">
For all events I tried, I either can't find the control (before the DOM is loaded), or in other events (after the DOM was loaded) I was able to find the control, but the JS in the control was already been executed.
I'm also want to mention, that when the RadLabel is rendered, it is not a label tag, but span tag.
and the JS injection is actually creates an img tag inside this span.
<div class="col-md-3">
<span id="ctl00_ctl01_fvlc_RequestFormForm_fvSubView1_RequestFormForm_lblProject" disabled="disabled" class="RadLabel RadLabel_InBloom"><img src="xss" onerror="alert(123)"></span>
</div>
Any idea?
Thanks,
Merav
All JavaScript solutions will not have access and will not be able to find the control before the DOM is loaded. All events like window.onload, Sys.Application.load (pageLoad) and $(document).ready are executed after the DOM is loaded and it is too late to strip the onerror attribute.
Since the label control does not offer client-side EncodeHtml method and it is too late to strip the onerror attribute prior to the DOM is loaded on the client-side, the possible solutions are server side only. For example you can create a common EncodeLabels method which you can call from the codebehind of all pages having label elements in them:
Put the EncodeLabels static method in a static class GlobalMethods.cs. This way, the method can be accessed from different parts of your project without the need to instantiate the class.
GlobalMethods.cs
public static class GlobalMethods { public static void EncodeLabels(Control form) { foreach (Control control in form.Controls) { // Check if the control is a Telerik control if (control is Telerik.Web.UI.RadLabel) { ((Telerik.Web.UI.RadLabel)control).HtmlEncode = true; } } }}
Then you can call GlobalMethods.EncodeLabels() from the Page_Load event of any page within your project, passing the form control as an argument:
protected void Page_Load(object sender, EventArgs e) { GlobalMethods.EncodeLabels(this.Form); }Now, the EncodeLabels method can be accessed globally from any part of your project where the GlobalMethods class is visible. Moreover, by passing the Form control as an argument to the method, you can use this method to encode labels on any form within your project.
Another solution is to use ASP.NET Themes to apply the HtmlEncode property to all label controls in the app: