Find anything about our product, documentation, and more.

Blazor Components | 70+ Native UI Controls | Syncfusion

https://www.syncfusion.com/blazor-components

The Syncfusion native Blazor components library offers 70+ UI and Data Viz web controls that are responsive and lightweight for building modern web apps.

.NET PDF Framework | C# / VB.NET PDF API | Syncfusion

https://www.syncfusion.com/pdf-framework/net

.NET PDF framework is a high-performance and comprehensive library used to create, read, merge, split, secure, edit, view, and review PDF files in C#/VB.NET.

155+ Xamarin UI controls for iOS, Android & UWP apps | Syncfusion

https://www.syncfusion.com/xamarin-ui-controls

Over 155 Xamarin UI controls to create cross-platform native mobile apps for iOS, Android, UWP and macOS platforms from a single C# code base.

My Dashboard

SIGN OUT

Big problem with all controls (XSS, but not only)

2 Replies
2 Participants

Created by
AD adgr

Platform
ASP.NET Core - EJ 2

Platform
ASP.NET Core - EJ 2

Control
Text Box

Created On
Oct 11, 2019 09:19 PM UTC

Last Activity On
Oct 25, 2019 09:33 AM UTC

Want to subscribe?
SIGN IN

I have big problem with Syncfusion controls (e.g. with TextBox control).

When value in TextBox is </script> page output is completely messy.

Output from default Asp Net Core control is ok, but output from Syncfusion TextBox is "broken" - (like on screenshot below):

It's not only problem with <script> or </script> text. Single quotation mark (") can broke output. It's because your library generate javascript without escaping values from model fields. For example:

var TextBoxhjmrudszwgx=new ejs.inputs.TextBox({

"enableRtl": false,

"value": "</script>"

});

TextBoxhjmrudszwgx.appendTo("#editText");

Or for field value with quotation mark:

var TextBoxhjmrudszwgx=new ejs.inputs.TextBox({

"enableRtl": false,

"value": """

});

TextBoxhjmrudszwgx.appendTo("#editText");

In my opinion it should be escaped.

What am I doing wrong? What I have to do to make it work properly?

Ma sample project is in attachment.

Attachment: Xss_be9ec3e9.zip

2 Replies

SP Sureshkumar P Syncfusion Team October 16, 2019 12:51 PM UTC

Hi adgr,

Greetings from Syncfusion support.

We are validating your query and shared code block with image. We will update the further details in three business day (10/21/2019). We appreciate your patience until then.

Regards,

Sureshkumar P

SP Sureshkumar P Syncfusion Team October 25, 2019 09:33 AM UTC

Hi adgr,

Sorry for the delay.

Query 1 : special character (*) issue

we have ignore special character (‘,*) to use escape character to resolve the issue , please refer the below

“\”” but it is not applicable script tag

Query 2: value in TextBox is </script> page output is completely messy

We have considered this as a bug and promised to provide fix in our volume 4 release, 2019 scheduled on December first week. Please find the reference links below

Feedback portal link: https://www.syncfusion.com/feedback/9727/aspcore-component-not-render-when-given-input-script

Regards,

Sureshkumar P

2 Replies
2 Participants
Want to subscribe?
SIGN IN
Created by
AD adgr
Platform
ASP.NET Core - EJ 2
Control
Text Box
Created On
Oct 11, 2019 09:19 PM UTC
Last Activity On
Oct 25, 2019 09:33 AM UTC

Viewer Component

.NET PDF Processing Library

Conversions

Editor Component

.NET Word Processing Library

Conversions

Editor Component

.NET Excel Processing Library

Conversions

.NET PowerPoint Processing Library

Conversions

Big problem with all controls (XSS, but not only)

Enterprise Solutions

Free Products

Viewer Component

.NET PDF Processing Library

Conversions

Editor Component

.NET Word Processing Library

Conversions

Editor Component

.NET Excel Processing Library

Conversions

.NET PowerPoint Processing Library

Conversions

Learning

Resources

Support

Big problem with all controls (XSS, but not only)