Cross-site scripting issues with the RadEditor control

5 posts, 1 answers
  1. Steve Holdorf
    Steve Holdorf avatar
    119 posts
    Member since:
    Apr 2010

    Posted 08 Aug 2012 Link to this post

    We work in a very secure enviornment; however, security practices and standards are in place to previent application attacks. We want to use the RadEditor control on one of our web pages but need to know if there may be any issues with cross-site scripting attacks. Can you briefly explain how cross-site scripting is or is not possible with the RadEditor control?

    Thanks,


    Steve Holdorf
  2. Rumen
    Admin
    Rumen avatar
    12851 posts

    Posted 09 Aug 2012 Link to this post

    Hi,

    In general it is not possible to guarantee the safe content by all means, because one real hacker can modify the POST array and go round the RadEditor mechanism - it is partially the developer's task to verify it and strip potentially malicious content - as scenarios regarding what content is considered dangerous or not vary greatly.

    What RadEditor does is provide the infrastructure on the client to "hook" and clean content - for example, using content filters.
    On the server the editor content can be processed just as Microsoft suggest in their article: Chapter 10 – Building Secure ASP.NET Pages and Controls.

    The editor does provide the property RemoveScripts filter that would prevent script tags being submitted with its content.

    We prepared a sample content filter to help you started. Please review the code below. It will loop through all elements when going to HTML mode or when submitting content and it will remove a number of potentially dangerous attributes:

    Copy Code
    <telerik:radeditor runat="server" ID="RadEditor1" OnClientLoad="OnClientLoad">
    <Content>
    <div onmouseover="alert(1);">test</div>
    </Content>
    </telerik:radeditor>
    <script type="text/javascript">
    function OnClientLoad(editor, args)
    {
    editor.get_filtersManager().add(new MyFilter());
    }
    MyFilter = function()
    {
    MyFilter.initializeBase(this);
    this.set_isDom(false);
    this.set_enabled(true);
    this.set_name("RadEditor filter");
    this.set_description("RadEditor filter description");
    }
    MyFilter.prototype =
    {
    getHtmlContent : function(content)
    {
    var dom = document.createElement("DIV");
    dom.innerHTML = content;
    var elems = dom.getElementsByTagName("*");
    for (var i=0; i < elems.length; i++)
    {
    //Remove all onmouseover, onmouseout, onclick eventhandlers from element
    var elem = elems[i];
    elem.onmouseover = null;
    elem.onerror = null;
    elem.onclick = null;
    }
    return dom.innerHTML;
    }
    }
    MyFilter.registerClass('MyFilter', Telerik.Web.UI.Editor.Filter);
    </script>


    You can further elaborate on the code by checking on href and src attributes, for example (and removing those if they do not meet requirements).


    Kind regards,
    Rumen
    the Telerik team
    If you want to get updates on new releases, tips and tricks and sneak peeks at our product labs directly from the developers working on the RadControls for ASP.NET AJAX, subscribe to their blog feed now.
  3. UI for ASP.NET Ajax is Ready for VS 2017
  4. Luke
    Luke avatar
    1 posts
    Member since:
    Sep 2013

    Posted 25 Sep 2013 Link to this post

    I'm working on a situation where a hacker enters the following into the radEditor in HTML Mode:

     <img alt="" onerror="alert('XSS')" src="x" />
     <script>prompt();</script>

    I have set the RemoveScripts filter and added the custom filter to remove the onerror attribute.  However, when I hit "Submit" or change modes the "XSS" alert is still popping up (the <script> was filtered out).  I thought the filter would execute at the same time as the standard filters but that does not seem to be the case.  It appears that the editor is rendering the html before processing it.  Is that correct and if so, how do I intercept the html and filter it beforehand?

    I'm using the same custom filter you outlined in the example and I have confirmed that it is being executed.  

    Thanks

    Luke
  5. Answer
    Ianko
    Admin
    Ianko avatar
    1535 posts

    Posted 30 Sep 2013 Link to this post

    Hi Steve,

    Note that if you are using the bellow example for the implementation of the custom content filter, you should implement the getDesignContent property in order to trigger the desired logic, when switching to Design view. You could follow this online demo for more information about building your own filters.

    You can see an example of the suggested approach in the following setup:
    <telerik:RadEditor runat="server" ID="RadEditor1" OnClientLoad="OnClientLoad">
        <Content>
            <div onmouseover="alert(1);">test</div>
        </Content>
    </telerik:RadEditor>
     
    <script type="text/javascript">
        function OnClientLoad(editor, args) {
            editor.get_filtersManager().add(new MyFilter());
        }
        MyFilter = function () {
            MyFilter.initializeBase(this);
            this.set_isDom(false);
            this.set_enabled(true);
            this.set_name("RadEditor filter");
            this.set_description("RadEditor filter description");
        }
        MyFilter.prototype =
        {
            getHtmlContent: function (content)
            {
                var dom = document.createElement("DIV");
                dom.innerHTML = content;
                var elems = dom.getElementsByTagName("*");
     
                for (var i = 0; i < elems.length; i++)
                {
     
                    //Remove all onmouseover, onmouseout, onclick eventhandlers from element
                    var elem = elems[i];
                    if (elem.hasAttribute("onmouseover")) {
                        elem.setAttribute("onmouseover", "");
                    }
                    if (elem.hasAttribute("onerror")) {
                        elem.setAttribute("onerror", "");
                    }
                    if (elem.hasAttribute("onclick")) {
                        elem.setAttribute("onclick", "");
                    }
                }
                return dom.innerHTML;
            },
            getDesignContent: function (content)
            {
                var dom = document.createElement("DIV");
                dom.innerHTML = content;
                var elems = dom.getElementsByTagName("*");
     
                for (var i = 0; i < elems.length; i++)
                {
     
                    //Remove all onmouseover, onmouseout, onclick eventhandlers from element
                    var elem = elems[i];
                    if (elem.hasAttribute("onmouseover")) {
                        elem.setAttribute("onmouseover", "");
                    }
                    if (elem.hasAttribute("onerror")) {
                        elem.setAttribute("onerror", "");
                    }
                    if (elem.hasAttribute("onclick")) {
                        elem.setAttribute("onclick", "");
                    }
                }
                return dom.innerHTML;
     
            }
        }
     
        MyFilter.registerClass('MyFilter', Telerik.Web.UI.Editor.Filter);
     
    </script>



    Regards,
    Ianko
    Telerik
    If you want to get updates on new releases, tips and tricks and sneak peeks at our product labs directly from the developers working on the RadControls for ASP.NET AJAX, subscribe to the blog feed now.
  6. tammy
    tammy avatar
    1 posts
    Member since:
    Jul 2014

    Posted 29 Jul 2014 in reply to Steve Holdorf Link to this post

    XSS is actually a way through which cyber criminal can inject malicious script into the victim’s computer.
    XSS infection uses various ways to infect your system. For example: posting a link that conation infected URL on Twitter and rest of the task is automatically donned by the Twitter i.e. covering the posted URL moderately. To know how to protect from XSS kindly visit: http://www.fixbrowserthreats.com/xss-attack-remove-xss
     
Back to Top
UI for ASP.NET Ajax is Ready for VS 2017