This question is locked. New answers and comments are not allowed.
Hi,
1. Open your official client template demo - http://demos.telerik.com/aspnet-mvc/razor/grid/templatesclientside
2. It has quite simple client template with only integer property <#= CustomerID #>. So here is no any issue because the property is integer.
3. But what is I want to use <#= CustomerName #>? In this case its value is not HTML encoded and a hacker can register using potentially dangerous name such as <script type="text/javascript">alert('my name here')</script>
So the question. Is there any way to HTML encode (on client side) values passed into <#= #> when using ClientTemplate() method?
1. Open your official client template demo - http://demos.telerik.com/aspnet-mvc/razor/grid/templatesclientside
2. It has quite simple client template with only integer property <#= CustomerID #>. So here is no any issue because the property is integer.
3. But what is I want to use <#= CustomerName #>? In this case its value is not HTML encoded and a hacker can register using potentially dangerous name such as <script type="text/javascript">alert('my name here')</script>
So the question. Is there any way to HTML encode (on client side) values passed into <#= #> when using ClientTemplate() method?
10 Answers, 1 is accepted
0
Andrei
Top achievements
Rank 1
Rank 1
answered on 26 Mar 2012, 08:09 PM
After some investigation I think that the following should be changed in the telerik.grid.js file
1. Find "function template(value)" declaration
2. It should accept a new boolean 'encode' parameter which will be used when replacing <#=placeholder #>
3. Update this function invocations (pass 'true' or 'false') where required.
Your thoughts?
1. Find "function template(value)" declaration
2. It should accept a new boolean 'encode' parameter which will be used when replacing <#=placeholder #>
3. Update this function invocations (pass 'true' or 'false') where required.
Your thoughts?
0
Andrei
Top achievements
Rank 1
Rank 1
answered on 27 Mar 2012, 08:53 AM
Here is what I can suggest. Add a new "placeholder wrapper" <##= #> support which will encode placeholder.
For example,
<#= somestring #> will not encode "somestring"
<##= somestring #> will encode "somestring".
Any comment?
For example,
<#= somestring #> will not encode "somestring"
<##= somestring #> will encode "somestring".
Any comment?
0
Dadv
Top achievements
Rank 1
Rank 1
answered on 27 Mar 2012, 10:36 AM
Hi,
you can self encode your data (in the model for example).
you can self encode your data (in the model for example).
0
Andrei
Top achievements
Rank 1
Rank 1
answered on 27 Mar 2012, 02:56 PM
Yes, I know. But it's more like a workaround for this issue. Actually it's wrong. Views should decide whether data should be encoded or not (not controllers). You already provide this option (Encoded method for simple columns (when Template() or ClinetTemplate aren't specified). The solution I suggested will resolve this issue and there's no much code to add this functionality. Please add it to your roadmap. Is it possible?
BTW, your demo site also could be hacked if I could edit a customer data and insert some java-script (your demo site just do not allow editing data - [HtmlAllow]). I mean Client Row Template page ( http://demos.telerik.com/aspnet-mvc/grid/clientrowtemplate
). Why don't you encode customer data in controllers before passing it to the view?
BTW, your demo site also could be hacked if I could edit a customer data and insert some java-script (your demo site just do not allow editing data - [HtmlAllow]). I mean Client Row Template page ( http://demos.telerik.com/aspnet-mvc/grid/clientrowtemplate
). Why don't you encode customer data in controllers before passing it to the view?
0
Dadv
Top achievements
Rank 1
Rank 1
answered on 28 Mar 2012, 09:03 AM
First, to clarify, I'm not from Telerik Team.
By design Asp.net don't allow some basic code injection (for example : <script type="javascript">alert("test");</script> will throw an error if you try to insert it in a field that is not an editor field).
You could also try to inject something like this : <script type="javascript">alert("test");<script> this will insert the text in the data base but with <#= #> normally it should not be execute on client render (you should see the text in clear).
In other side if you use editor like this one you need html encoded at the end, so the encode is your part.
however if you need some encode functionality, try this extension :
By design Asp.net don't allow some basic code injection (for example : <script type="javascript">alert("test");</script> will throw an error if you try to insert it in a field that is not an editor field).
You could also try to inject something like this : <script type="javascript">alert("test");<script> this will insert the text in the data base but with <#= #> normally it should not be execute on client render (you should see the text in clear).
In other side if you use editor like this one you need html encoded at the end, so the encode is your part.
however if you need some encode functionality, try this extension :
public static class EncodeExtension { public static string Encode(this string value) { if (value == null) return null; return HttpUtility.HtmlEncode(@value); } public static string Escape(this string value) { if (value == null) return null; return Microsoft.JScript.GlobalObject.escape(@value); } public static string EncodeUrl(this string value) { if (value == null) return null; return HttpUtility.UrlEncode(@value); } }0
Andrei
Top achievements
Rank 1
Rank 1
answered on 28 Mar 2012, 09:31 AM
Thanks. I know that ASP.NET doesn't allow code injection by default. But my application allows it ([AllowHtml] attribute). Controllers should not encode string values in a returned model. They just doesn't know how this model will be used in a view. The views should decide whether values should be encoded or not. Otherwise, it's anti-pattern.
The source code you provided is server-side. I'm talking about client-side encoding. The telerid.grid.js file already supports such encoding for simple properties. Why can't this support be added for <#= #> client template placeholders?
The source code you provided is server-side. I'm talking about client-side encoding. The telerid.grid.js file already supports such encoding for simple properties. Why can't this support be added for <#= #> client template placeholders?
0
Dadv
Top achievements
Rank 1
Rank 1
answered on 28 Mar 2012, 10:55 AM
I suggest you to add a request to the Pits
However in my point of view, encode value client side is not the best way to avoid security risk, I think the View should provide the well encode value to the client.
So if you use Html in your model, i suggest you to use a ViewModel to adapt the data to the view (not in the ClientTemplate because it's too late).
You often talk of Controller, but i had never talk of controller, but of Model.The Model (or ViewModel in my case) is specific to the view, it's his "adapter".
If you need to use ClientTemplate then be aware of that (has i know) it's execute client side.
In your project you need to open a breach for functionality purpose([allowhtml]), so you need to plug your own security in server side.
for example in your viewmodel :
private string customerName;
public string CustomerName
{
get{return customerName != null ? HttpUtility.HtmlEncode(customerName) : null;}
set{customerName = value;}
}
However in my point of view, encode value client side is not the best way to avoid security risk, I think the View should provide the well encode value to the client.
So if you use Html in your model, i suggest you to use a ViewModel to adapt the data to the view (not in the ClientTemplate because it's too late).
You often talk of Controller, but i had never talk of controller, but of Model.The Model (or ViewModel in my case) is specific to the view, it's his "adapter".
If you need to use ClientTemplate then be aware of that (has i know) it's execute client side.
In your project you need to open a breach for functionality purpose([allowhtml]), so you need to plug your own security in server side.
for example in your viewmodel :
private string customerName;
public string CustomerName
{
get{return customerName != null ? HttpUtility.HtmlEncode(customerName) : null;}
set{customerName = value;}
}
0
Andrei
Top achievements
Rank 1
Rank 1
answered on 28 Mar 2012, 12:40 PM
> I suggest you to add a request to the Pits
Thanks. Just did it.
> You often talk of Controller, but i had never talk of controller,
MVC (C is Controller)
> So if you use Html in your model, i suggest you to use a ViewModel to adapt the data to the view (not in the ClientTemplate because it's too late).
Please see my original post. I don't need ViewModel. The data is returned during AJAX request as JSON. That's why I'm using ClientTemplate when the view (page) is already loaded and displayed to a user. Why don't I want to return already encoded JSON data? Please see my post above.
Thanks. Just did it.
> You often talk of Controller, but i had never talk of controller,
MVC (C is Controller)
> So if you use Html in your model, i suggest you to use a ViewModel to adapt the data to the view (not in the ClientTemplate because it's too late).
Please see my original post. I don't need ViewModel. The data is returned during AJAX request as JSON. That's why I'm using ClientTemplate when the view (page) is already loaded and displayed to a user. Why don't I want to return already encoded JSON data? Please see my post above.
0
Dadv
Top achievements
Rank 1
Rank 1
answered on 28 Mar 2012, 01:01 PM
My apologize didn't understand it was Json binding.
0
Pitamber
Top achievements
Rank 1
Rank 1
answered on 27 Nov 2012, 10:07 PM
What did you figure out?