Not answered Injection Protected

Hello,

Is there any way to prevent injection from attacks such as the one described in the following link? (without having to manually read posted html)

http://charlesrcook.com/archive/2008/05/17/easily-injecting-html-into-radeditor.aspx

To show the weakness, here is a span tag...
injected



Thank you,

Charles

Hello,

You are correct, the RadEditor control has no restrictions on the client. All HTML markup is allowed in the content area. The only tag that we try to control is <script>. Unless you explicitly enable scripts in the editor configuration, all <script> tags will be removed when the editor content is submitted.

This brings me to the point - the editor is just a form element on the page. Unfortunately, this means that with the proper tools, you can modify its value when the form is submitted and insert any content you want. As you know, client-side validation of any kind is easily defeated in this way. The only place where you can properly validate your content, is the server code. In the case of RadEditor, if you want to use it for text input only, then you should use the Text property on the server instead of the Content property. This will remove all HTML tags and give you only the text content.

Best wishes,
Lini
the Telerik team

Thank you Lini,

I was hoping that the control, being a server side control would have some checks on what is posted.  Because the tools for the editor are configured before the control is rendered, can the editor not check the html on post back?

For example, on the telerik forums only simple markup is allowed (bold, italic, etc.)  Could you not on post back validate the html and verify that only markup for those tags are present?  It seems like it would be rather simple to do with regex.

Another method I was thinking of which would be a bit more complicated, yet more secure would be to post custom lighter BB style markup for limited markup situations.  For example on the client side replace <b> with [b] and then server side reverse out the replace.  If this was done it would also allow the developer to keep validate post back on... 

We will probably modify another WYSIWYG tool to do this to keep sites secure.

Are any of these a possibility with the RadEditor?


Thank you,

Charles

Hi Charles,

Due to the huge range of scenarios where the editor is used, it is simply not possible to incorporate all specific functionality into the editor, and keep it operational at the same time. Thus the approach taken is for the editor to provide "hooks", such as client- and server- events, as well as a rich API that allows easy fine-tuning and enhancing of any of the editor's "capabilities".

In this case, it is certainly possible to strip all undesired content on the server, before saving it to the database by using, for example, regular expressions. As noted, due to the huge number of possible scenarios, such ability does not exist build into the editor. For most purposes you could consider the editor as a regular <asp:TextBox> that has very little restrictions on its input - as in many cases even the most potentially harmful content can be legitimate - for example, when using the editor in a non-public admin area.


Sincerely yours,
Tervel
the Telerik team

Thank you Tervel,

I appreciate the response.

Charles