I'm having an issue where, as far as I can tell, the ContentFilters aren't working. For my test content, I'm using:
<p onclick="alert('p-fired')">test text</p>
<script>
alert("fired");
</script>
My editor declaration looks like this:
<telerik:RadEditor runat="server" ID="reNewComment" ContentAreaMode="Div" StripFormattingOnPaste="MSWord,ConvertWordLists,Css"
Width="100%" ToolTip="New Comment" Height="300px" EnableResize="True" AllowScripts="False"
ContentFilters="StripDomEventAttributes,StripCssExpressions,RemoveScripts" EditModes="Design">
Now, my text is reaching the server as:
<p onclick="alert('p-fired')">test text</p>
<script>
alert("fired");
</script>
This is getting saved this way, and when the page is reloaded both events work. Am I declaring my content filters incorrectly? I figured they would strip out the script stuff client side, before reaching the server. Any help is appreciated, thanks.
1 Answer, 1 is accepted
I already replied you to this question in the ticket opened to us. You can refer ti my answer there. I suggest you continuing the conversation in the ticket thread.
For anyone else interested in the matter:
In Design mode, pasting HTML is inserted as plain text not as HTML markup. Therefore, any harmful code is encoded automatically and scripts are neither functional, nor compiled by the browser.
The prevent mechanisms documented here (http://docs.telerik.com/devtools/aspnet-ajax/controls/editor/managing-content/prevent-cross-site-scripting-(xss)) are relevant for script injections.
With only Design mode on, this is testable by either using automated scripts, the browser's dev toolbar or the browser's console. More information is available here— https://www.google.com/about/appsecurity/learning/xss/.
Regards,
Ianko
Telerik