This is a migrated thread and some comments may be shown as answers.

How to allow scripts

3 Answers 312 Views
Editor
This is a migrated thread and some comments may be shown as answers.
miksh
Top achievements
Rank 1
Iron
miksh asked on 10 Mar 2014, 06:08 PM
In radEditor Q1 2014 AllowScripts marked as obsolete. How to correctly allow scripts in the editor content now?
Btw, I was not be able to find anything related in the online help.

3 Answers, 1 is accepted

Sort by
0
Accepted
Ianko
Telerik team
answered on 11 Mar 2014, 03:22 PM
Hi Michael,

The escaping of the script tags is handled via built-in content filters (RemoveScripts and EncodeScripts). These filters can be configured using the ContentFilters property or using the DisableFilter() or EnableFilter() methods.

ASP.NET Example:
<telerik:RadEditor ID="RadEditor1" ContentFilters="MakeUrlsAbsolute,FixEnclosingP" runat="server" />


C# Example:
RadEditor1.DisableFilter(EditorFilters.EncodeScripts);
RadEditor1.DisableFilter(EditorFilters.RemoveScripts);

You can also examine the functionality of the Content Filters in this live example.

Regards,
Ianko
Telerik

DevCraft Q1'14 is here! Watch the online conference to see how this release solves your top-5 .NET challenges. Watch on demand now.

0
miksh
Top achievements
Rank 1
Iron
answered on 11 Mar 2014, 03:30 PM
Thank you. Could you explain on an example the purpose of EncodeScripts filter?
I added <script>alert("hi")</script> in the live example expecting that this would be rendered in the preview/design view but it's not.
0
Ianko
Telerik team
answered on 12 Mar 2014, 06:59 AM
Hello Michael,

Please follow this example configuration and the explanation to examine the EncodeScripts functionality:

Example:
<telerik:RadEditor ID="RadEditor1" runat="server" ContentFilters="EncodeScripts">
    <Content>
        <script type="text/javascript">alert(1);</script>
    </Content>
</telerik:RadEditor>
 
<telerik:RadButton runat="server" ID="RadButton1" AutoPostBack="false"
    OnClientClicked="getActualHTML" Text="Get Actual HTML"></telerik:RadButton>
<telerik:RadButton runat="server" ID="RadButton2" AutoPostBack="false"
    OnClientClicked="getContent" Text="Get Content"></telerik:RadButton>
 
<br />
<textarea id="output" style="width:400px; height:200px;"></textarea>
 
<script type="text/javascript">
    function getContent(sender, args) {
        var editor = $find("<%= RadEditor1.ClientID %>");
        var textarea = $get("output");
        textarea.innerHTML = editor.get_html(true);
    }
 
    function getActualHTML(sender, args) {
        var editor = $find("<%= RadEditor1.ClientID %>");
        var textarea = $get("output");
        textarea.innerHTML = editor.get_contentArea().innerHTML;
    }
</script>

This example is setting the HTML content of the Editor, which is a script code-block with a simple alert into the textarea with id "output". The first button - Get Actual HTML is retrieving the innerHTML property of the Editor's ContentArea. As seen HTML is set as a commented code block:
<!--RADEDITORSAVEDTAG_script type="text/javascript">alert(1);</script-->

This is done to preserve all implemented functionality, but prevent it from triggering in the Editor. If the EncodeScripts filter is disabled, the implemented alert will be invoked on each page load.

The second button - Get Content is using the Editor's get_html() method to retrieve the real content. That means that the comment block will be replaced with a real script tag:

<script type="text/javascript">alert(1);</script>

In this case if the content is going to be submitted and used as a standalone page, the implementations would be applicable and running as expected. 

I suggest you also checking this screencast, in which I am showing how this filter is affecting the content.

The main purpose for this filter is to prevent harmful scripts to be triggered in the source page or the application, but still retain the implemented logic if such is designed with a purpose and used outside of the content area.  

Regards,
Ianko
Telerik

DevCraft Q1'14 is here! Watch the online conference to see how this release solves your top-5 .NET challenges. Watch on demand now.

Tags
Editor
Asked by
miksh
Top achievements
Rank 1
Iron
Answers by
Ianko
Telerik team
miksh
Top achievements
Rank 1
Iron
Share this question
or