如何加密 Telerik Rad 编辑器视图状态？

Question

The viewstate or application's pages are already encrypted but looking at the Burp output of the response from a POST to the Telerik.UI.DialogHandler (ImageMananger) it seems the Telerik view state in the response appears not to be. See attached image.

Burp output

We've generated and specified the DialogParametersEncryptionKey, ConfigurationEncryptionKey, and ConfigurationHashKey keys in the site level web.config as described in article https://docs.telerik.com/devtools/aspnet-ajax/controls/editor/functionality/dialogs/security . This didn't change the viewstate.

The machine key in IIS is set for auto-generation.

I'm only assuming the Telerik viewstate can be encrypted because what I've read seems to imply that, but I haven't found a clear example so I'm not sure.

Answer 1

Can you please change the TargetFramework of the application to 4.5 or above and test again:

>  <compilation debug="false" targetFramework="4.8" />
>     <httpRuntime targetFramework="4.8" />
>     <pages viewStateEncryptionMode="Always" enableViewStateMac="true">
>         <controls>
>             <add tagPrefix="telerik" namespace="Telerik.Web.UI" assembly="Telerik.Web.UI" />
>         </controls>
>     </pages>
>     <httpHandlers>

It is also a must to set viewStateEncryptionMode="Always" enableViewStateMac="true" in the page directive or the web.config.

Check out this product forum thread for more information: https://www.telerik.com/forums/can-the-rad-editor-viewstate-be-encrypted .