Editor ContentFilters not working as expected

2 posts, 0 answers
  1. Nicholas
    Nicholas avatar
    1 posts
    Member since:
    Jan 2014

    Posted 09 Dec 2015 Link to this post

    I'm having an issue where, as far as I can tell, the ContentFilters aren't working.  For my test content, I'm using:

    <p onclick="alert('p-fired')">test text</p>
    <script>
    alert("fired");
    </script>

    My editor declaration looks like this:

    <telerik:RadEditor runat="server" ID="reNewComment" ContentAreaMode="Div" StripFormattingOnPaste="MSWord,ConvertWordLists,Css"
                                Width="100%" ToolTip="New Comment" Height="300px" EnableResize="True" AllowScripts="False"
                                ContentFilters="StripDomEventAttributes,StripCssExpressions,RemoveScripts" EditModes="Design">

    Now, my text is reaching the server as:

    &lt;p onclick="alert('p-fired')"&gt;test text&lt;/p&gt;
    &lt;script&gt;
    alert("fired");
    &lt;/script&gt;

    This is getting saved this way, and when the page is reloaded both events work.  Am I declaring my content filters incorrectly?  I figured they would strip out the script stuff client side, before reaching the server.  Any help is appreciated, thanks.

     

  2. Ianko
    Admin
    Ianko avatar
    1535 posts

    Posted 11 Dec 2015 Link to this post

    Hi Nicholas,

    I already replied you to this question in the ticket opened to us. You can refer ti my answer there. I suggest you continuing the conversation in the ticket thread.  


    For anyone else interested in the matter:

    In Design mode, pasting HTML is inserted as plain text not as HTML markup. Therefore, any harmful code is encoded automatically and scripts are neither functional, nor compiled by the browser. 

    The prevent mechanisms documented here (http://docs.telerik.com/devtools/aspnet-ajax/controls/editor/managing-content/prevent-cross-site-scripting-(xss)) are relevant for script injections. 

    With only Design mode on, this is testable by either using automated scripts, the browser's dev toolbar or the browser's console. More information is available here— https://www.google.com/about/appsecurity/learning/xss/.

    Regards,
    Ianko
    Telerik
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
  3. UI for ASP.NET Ajax is Ready for VS 2017
Back to Top