Editor loses changes to html tags

2 posts, 1 answers
  1. Jeff
    Jeff avatar
    10 posts
    Member since:
    Dec 2010

    Posted 06 Jan 2014 Link to this post

    Hello,

    I've tried this on the online demo at : 

    http://demos.kendoui.com/web/editor/all-tools.html

    click the View Html tool, edit the first img tag and add onerror="imgError()" to it.

    Click update button. View Html again and my change has now disappeared. Why is that ?
    I've first noticed it locally and I thought I did something wrong, then I tried it on the online demo section and the same behaviour happens. 

    Things get even weirder if you add something like onerror="alert('The image could not be loaded.')"

    if you view html again this is what you get : 

    <img alt="Editor for ASP.NET MVC logo" be="" could="" image="" loaded.');"="" not="" src="http://www.kendoui.com/Image/kendo-logo.png" style="display:block;margin-left:auto;margin-right:auto;" the="" />

    Looks like a big bug to me.
  2. Answer
    Jeff
    Jeff avatar
    10 posts
    Member since:
    Dec 2010

    Posted 06 Jan 2014 Link to this post

    Hello Stuart,

    The onerror handler is stripped intentionally, as it has exposed some XSS problems in the past. The incorrect parsing of the onerror message is indeed wrong, and has been logged for fixing. If you want to add an error handler, do so through client-side scripting rather than through attributes.

    Regards,
    Alex Gyoshev
    Telerik
    Join us on our journey to create the world's most complete HTML 5 UI Framework - download Kendo UI now!
  3. UI for ASP.NET MVC is VS 2017 Ready
Back to Top