2
votes

I am using the kendo editor. If I write any html data like : <img src=x onerror=alert(0) > as an input. The script is getting executed. Means the kendo editor is not secure. How I can encode the value on client side ?

Thanks in advance.

1
How do you input that? And how do you want to encode it? - Atanas Korchev
Hi @AtanasKorchev Please check the jsfiddle link jsfiddle.net/piyushparmar01/KuQvs/57 Here I am getting alert message. I added the HTMl script into the kendo editor but it's getting exectued. - Piyush
If I do encoding from serverside then user can able to view same encoded data. - Piyush

1 Answers

0
votes

I don't think the problem here is so much that the Kendo editor is insecure, more that the javascript fragment has made it onto the page in the first place.

On initialization the Kendo editor merely copies the input value verbatim and uses it within the iFrame that is contained within the editor, hence the script executes.

Typically you would encode/sanitize user content server-side before it's displayed. It's your website that generates the HTML page so you have full control over the output and need to ensure that a potentially dangerous value doesn't get added to the input's value in the first place.

It might be worth looking into Microsoft's AntiXSS offering.