I would like my users to enter a kendo template in a UI field for them to customize grid cells. So the user can enter Hello #= name # in an input field on the UI, and the grid column will show the result appropriately.
The problem is that the user may enter # alert('test') # in the template and the javascript will execute. I'm using ajax in my application and a malicious user may invoke http from the template.
Is it possible to avoid executing javascript in Kendo templates?
You can't really avoid it, except by sanitizing the input. You could remove round brackets from the templates before applying them so at least there could be no function calls, or remove all # ... # from the template with a regex.