Declined
Last Updated: 29 Mar 2021 07:00 by ADMIN
Leo
Created on: 04 Apr 2017 15:46
Category: Editor
Type: Feature Request
2
Improve security and support for Editor widget inside Grid preventing need of [AllowHtml]
The current Grid / Editor combo don't work together, making it nearly impossible to use the Editor inside a Grid. It may be possible, but that requires [AllowHtml] atribute on the model, which is a security concern.
More details:
http://www.telerik.com/forums/kendo-editor-in-a-grid-popup-editor
2 comments
ADMIN
Nencho
Posted on: 29 Mar 2021 07:00

Hello,

Since a solution is provided by Yanko, and no further questions/requests are posted in the thread, we are declining this item. 

However, if you feel that needs to be reopened and you have further comments on the matter - please post them below.

Regards,
Nencho
Progress Telerik

Virtual Classroom, the free self-paced technical training that gets you up to speed with Telerik and Kendo UI products quickly just got a fresh new look + new and improved content including a brand new Blazor course! Check it out at https://learn.telerik.com/.

ADMIN
Ianko
Posted on: 02 Mar 2020 12:43

Hi Leo,

Generally, the idea of using Kendo Editor in such a scenario is to have the HTML saved to a database. There is security support regarding XSS and you can read more about that here:  https://docs.telerik.com/kendo-ui/controls/editors/editor/preventing-xss.

In order to avoid using the AllowHtml attribute you need to send encoded HTML, but when rendering it you will need to decode it back to HTML. However, this is possible by using a field that is bound to the encodedValue method of the Editor.

On our end, we could eventually add an option to control whether the value method to return encoded value or not. Currently, the value method returns the non-encoded value only. This would solve your case as the built-in editing utilizes only the value method of the widgets. Let me know if the latter would help you out so that I can approve the  feature request. 

Regards,
Ianko
Progress Telerik

Get quickly onboarded and successful with your Telerik and/or Kendo UI products with the Virtual Classroom free technical training, available to all active customers. Learn More.