Big problem with all controls (XSS, but not only)

Question

I have big problem with Syncfusion controls (e.g. with TextBox control).

When value in TextBox is </script> page output is completely messy.

Output from default Asp Net Core control is ok, but output from Syncfusion TextBox is "broken" - (like on screenshot below):

It's not only problem with <script> or </script> text. Single quotation mark (") can broke output. It's because your library generate javascript without escaping values from model fields. For example:

var TextBoxhjmrudszwgx=new ejs.inputs.TextBox({

"enableRtl": false,

"value": "</script>"

});

TextBoxhjmrudszwgx.appendTo("#editText");

Or for field value with quotation mark:

var TextBoxhjmrudszwgx=new ejs.inputs.TextBox({

"enableRtl": false,

"value": """

});

TextBoxhjmrudszwgx.appendTo("#editText");

In my opinion it should be escaped.

What am I doing wrong? What I have to do to make it work properly?

Ma sample project is in attachment.

Attachment: Xss_be9ec3e9.zip

Sureshkumar P · Answer

Hi adgr, 

Greetings from Syncfusion support. 

We are validating your query and shared code block with image. We will update the further details in three business day (10/21/2019). We appreciate your patience until then. 

Regards, 
Sureshkumar P

Sureshkumar P · Answer

Hi adgr, Sorry for the delay. Query 1 : special character (*) issue we have ignore special character (‘,*) to use escape character to resolve the issue , please refer the below “\”” but it is not applicable script tag Query 2: value in TextBox is page output is completely messy We have considered this as a bug and promised to provide fix in our volume 4 release, 2019 scheduled on December first week. Please find the reference links below Feedback portal link: https://www.syncfusion.com/feedback/9727/aspcore-component-not-render-when-given-input-script Regards, Sureshkumar P