How to allow scripts

4 posts, 1 answers
  1. miksh
    miksh avatar
    275 posts
    Member since:
    Nov 2006

    Posted 10 Mar 2014 Link to this post

    In radEditor Q1 2014 AllowScripts marked as obsolete. How to correctly allow scripts in the editor content now?
    Btw, I was not be able to find anything related in the online help.
  2. Answer
    Ianko
    Admin
    Ianko avatar
    1535 posts

    Posted 11 Mar 2014 Link to this post

    Hi Michael,

    The escaping of the script tags is handled via built-in content filters (RemoveScripts and EncodeScripts). These filters can be configured using the ContentFilters property or using the DisableFilter() or EnableFilter() methods.

    ASP.NET Example:
    <telerik:RadEditor ID="RadEditor1" ContentFilters="MakeUrlsAbsolute,FixEnclosingP" runat="server" />


    C# Example:
    RadEditor1.DisableFilter(EditorFilters.EncodeScripts);
    RadEditor1.DisableFilter(EditorFilters.RemoveScripts);

    You can also examine the functionality of the Content Filters in this live example.

    Regards,
    Ianko
    Telerik

    DevCraft Q1'14 is here! Watch the online conference to see how this release solves your top-5 .NET challenges. Watch on demand now.

  3. UI for ASP.NET Ajax is Ready for VS 2017
  4. miksh
    miksh avatar
    275 posts
    Member since:
    Nov 2006

    Posted 11 Mar 2014 in reply to Ianko Link to this post

    Thank you. Could you explain on an example the purpose of EncodeScripts filter?
    I added <script>alert("hi")</script> in the live example expecting that this would be rendered in the preview/design view but it's not.
  5. Ianko
    Admin
    Ianko avatar
    1535 posts

    Posted 12 Mar 2014 Link to this post

    Hello Michael,

    Please follow this example configuration and the explanation to examine the EncodeScripts functionality:

    Example:
    <telerik:RadEditor ID="RadEditor1" runat="server" ContentFilters="EncodeScripts">
        <Content>
            <script type="text/javascript">alert(1);</script>
        </Content>
    </telerik:RadEditor>
     
    <telerik:RadButton runat="server" ID="RadButton1" AutoPostBack="false"
        OnClientClicked="getActualHTML" Text="Get Actual HTML"></telerik:RadButton>
    <telerik:RadButton runat="server" ID="RadButton2" AutoPostBack="false"
        OnClientClicked="getContent" Text="Get Content"></telerik:RadButton>
     
    <br />
    <textarea id="output" style="width:400px; height:200px;"></textarea>
     
    <script type="text/javascript">
        function getContent(sender, args) {
            var editor = $find("<%= RadEditor1.ClientID %>");
            var textarea = $get("output");
            textarea.innerHTML = editor.get_html(true);
        }
     
        function getActualHTML(sender, args) {
            var editor = $find("<%= RadEditor1.ClientID %>");
            var textarea = $get("output");
            textarea.innerHTML = editor.get_contentArea().innerHTML;
        }
    </script>

    This example is setting the HTML content of the Editor, which is a script code-block with a simple alert into the textarea with id "output". The first button - Get Actual HTML is retrieving the innerHTML property of the Editor's ContentArea. As seen HTML is set as a commented code block:
    <!--RADEDITORSAVEDTAG_script type="text/javascript">alert(1);</script-->

    This is done to preserve all implemented functionality, but prevent it from triggering in the Editor. If the EncodeScripts filter is disabled, the implemented alert will be invoked on each page load.

    The second button - Get Content is using the Editor's get_html() method to retrieve the real content. That means that the comment block will be replaced with a real script tag:

    <script type="text/javascript">alert(1);</script>

    In this case if the content is going to be submitted and used as a standalone page, the implementations would be applicable and running as expected. 

    I suggest you also checking this screencast, in which I am showing how this filter is affecting the content.

    The main purpose for this filter is to prevent harmful scripts to be triggered in the source page or the application, but still retain the implemented logic if such is designed with a purpose and used outside of the content area.  

    Regards,
    Ianko
    Telerik

    DevCraft Q1'14 is here! Watch the online conference to see how this release solves your top-5 .NET challenges. Watch on demand now.

Back to Top