Validating a Telerik Combo Box at Client/Server side

Recently in one of my projects, i faced a challenge to validate the character set that can be input in to a Telerik Combo Box. Initially any invalid character that i entered such as "&lt" would cause the Combo box to crash, because such characters are illegal, and the crash comes because they are sent at the server side (ItemsRequsted Event).
I started on with my search but could not find anything conclusive that could do the job for me. In the end after going through their client API i found the function of my interest "OnClientItemsRequesting". This function has the ability to cancel the server side event if it returns false. So i wrote the following code in my aspx page.

<radC:RadComboBox ID="ComboBox" CausesValidation="false"
ExpandEffect="Stretch" AutoPostBack="false" runat="server"
EnableLoadOnDemand="True" Height="200px"
OnItemsRequested="RadComboBox1_ItemsRequested" 
AllowCustomText="true"
MarkFirstMatch="True" Width="230px" TabIndex="1"
OnClientItemsRequesting="ClearComboItems"
MaxLength="50"></radC:RadComboBox>

The ComboBox will now call the ClearComboItems function when OnClientItemsRequesting is fired. The definition for ClearComboItems is below

 function ClearComboItems(combobox)
{
badkeys= new Array("<", "%3c", "&#60", "%3C", "%3e",
"%3E", "%27", "'", "&#34", "&#38","&#39",
"&#60", "&#62", "&#x22", "&#x27", "&#x26",
"&#x3C", "&#x3E", "&quote;", "'",
"~","@","#","$","^","&","*",":","!","`","&amp",
"&lt", "&gt", "\\u0022", "\\u0026", "\\u0027",
"\\u003c", "\\u003e", "select", "insert","update",
"delete", "drop", "having", "truncate", "union",
"--", "#", "%", "@@", "+","_","-","=","1","2","3","4",
"5","6","7","8","9","0", "1=1","exec", "alert", ";", "document",
"meta","iframe","html","script", "0x", "{","<", ">", "xp_",
"'1'='1'", "../", "./", ".exe", ".dll", "/*","*/", "waitfor",
"&#", "<<", ".config");
var val = combobox.GetText();
for (i=0; i<val.length; i++)
{
for (j=0; j<badkeys.length; j++)
{
    if (val.indexOf(badkeys[j],i) == -1)
    {
    }
    else
    {
        combobox.ClearSelection();
        return false;
    }
}
}
}

As we can see above, we have created an array badkeys and defined all the characters that have to be deprecated from being sent to the server. The return false argument does not let the sever side event to be fired and the illegal string are not passed to the server. To put in a place a check at the server you can add the same logic to the ComboBox_ItemsRequested event. This is shown below

 protected void RadComboBox1_ItemsRequested(object o, Telerik.WebControls.RadComboBoxItemsRequestedEventArgs e)
{
   string key = ClearComboItems(e.Text.ToString());
}   

public static string ClearComboItems(string strText)

    {
string[] badkeys =  {"<", "%3c", "&#60", "%3C",
"%3e", "%3E", "%27", "'", "&#34",
"&#38", "&#39", "&#60", "&#62", "&#x22", "&#x27", "&#x26",
"&#x3C", "&#x3E", "&quote;", "'"
, "~", "@", "#", "$", "^", "&", "*", ":", ".", "!","`",
 "&amp", "&lt", "&gt", "\\u0022","\\u0026", "\\u0027",
"\\u003c", "\\u003e", "select", "insert", "update", "delete",
"drop", "having","truncate", "union", "--", "#", "%", "@@", "+",
"_", "-", "=","1", "2", "3", "4", "5", "6", "7", "8", "9", "0",
"'", "1=1", "exec", "alert", ";","document", "meta", "iframe",
"html", "script", "0x", "{", "<", ">", "xp_", "'1'='1'", "../",
"./", ".exe", ".dll", "/*", "*/", "waitfor", "&#", "<<", ".config"};
   for (int i = 0; i < strText.Length; i++)
   {
       for (int j = 0; j < badkeys.Length; j++)
       {
           strText = strText.Replace(badkeys[j],"");
       }
   }
   return strText.Trim();
}

To further strengthen the security of the Combo box you may also call the same function on "OnClientBlur". This will avoid copy pasting of illegal characters in the combo box.

I hope this helps..