3 Answers, 1 is accepted
0
Accepted
Hi Michael,
The escaping of the script tags is handled via built-in content filters (RemoveScripts and EncodeScripts). These filters can be configured using the ContentFilters property or using the DisableFilter() or EnableFilter() methods.
ASP.NET Example:
C# Example:
You can also examine the functionality of the Content Filters in this live example.
Regards,
Ianko
Telerik
The escaping of the script tags is handled via built-in content filters (RemoveScripts and EncodeScripts). These filters can be configured using the ContentFilters property or using the DisableFilter() or EnableFilter() methods.
ASP.NET Example:
<telerik:RadEditor ID=
"RadEditor1"
ContentFilters=
"MakeUrlsAbsolute,FixEnclosingP"
runat=
"server"
/>
C# Example:
RadEditor1.DisableFilter(EditorFilters.EncodeScripts);
RadEditor1.DisableFilter(EditorFilters.RemoveScripts);
You can also examine the functionality of the Content Filters in this live example.
Regards,
Ianko
Telerik
DevCraft Q1'14 is here! Watch the online conference to see how this release solves your top-5 .NET challenges. Watch on demand now.
0
miksh
Top achievements
Rank 1
Iron
answered on 11 Mar 2014, 03:30 PM
Thank you. Could you explain on an example the purpose of EncodeScripts filter?
I added <script>alert("hi")</script> in the live example expecting that this would be rendered in the preview/design view but it's not.
I added <script>alert("hi")</script> in the live example expecting that this would be rendered in the preview/design view but it's not.
0
Hello Michael,
Please follow this example configuration and the explanation to examine the EncodeScripts functionality:
Example:
This example is setting the HTML content of the Editor, which is a script code-block with a simple alert into the textarea with id "output". The first button - Get Actual HTML is retrieving the innerHTML property of the Editor's ContentArea. As seen HTML is set as a commented code block:
This is done to preserve all implemented functionality, but prevent it from triggering in the Editor. If the EncodeScripts filter is disabled, the implemented alert will be invoked on each page load.
The second button - Get Content is using the Editor's get_html() method to retrieve the real content. That means that the comment block will be replaced with a real script tag:
In this case if the content is going to be submitted and used as a standalone page, the implementations would be applicable and running as expected.
I suggest you also checking this screencast, in which I am showing how this filter is affecting the content.
The main purpose for this filter is to prevent harmful scripts to be triggered in the source page or the application, but still retain the implemented logic if such is designed with a purpose and used outside of the content area.
Regards,
Ianko
Telerik
Please follow this example configuration and the explanation to examine the EncodeScripts functionality:
Example:
<
telerik:RadEditor
ID
=
"RadEditor1"
runat
=
"server"
ContentFilters
=
"EncodeScripts"
>
<
Content
>
<
script
type
=
"text/javascript"
>alert(1);</
script
>
</
Content
>
</
telerik:RadEditor
>
<
telerik:RadButton
runat
=
"server"
ID
=
"RadButton1"
AutoPostBack
=
"false"
OnClientClicked
=
"getActualHTML"
Text
=
"Get Actual HTML"
></
telerik:RadButton
>
<
telerik:RadButton
runat
=
"server"
ID
=
"RadButton2"
AutoPostBack
=
"false"
OnClientClicked
=
"getContent"
Text
=
"Get Content"
></
telerik:RadButton
>
<
br
/>
<
textarea
id
=
"output"
style
=
"width:400px; height:200px;"
></
textarea
>
<
script
type
=
"text/javascript"
>
function getContent(sender, args) {
var editor = $find("<%= RadEditor1.ClientID %>");
var textarea = $get("output");
textarea.innerHTML = editor.get_html(true);
}
function getActualHTML(sender, args) {
var editor = $find("<%= RadEditor1.ClientID %>");
var textarea = $get("output");
textarea.innerHTML = editor.get_contentArea().innerHTML;
}
</
script
>
This example is setting the HTML content of the Editor, which is a script code-block with a simple alert into the textarea with id "output". The first button - Get Actual HTML is retrieving the innerHTML property of the Editor's ContentArea. As seen HTML is set as a commented code block:
<!--RADEDITORSAVEDTAG_script type="text/javascript">alert(1);</script-->
This is done to preserve all implemented functionality, but prevent it from triggering in the Editor. If the EncodeScripts filter is disabled, the implemented alert will be invoked on each page load.
The second button - Get Content is using the Editor's get_html() method to retrieve the real content. That means that the comment block will be replaced with a real script tag:
<
script
type
=
"text/javascript"
>alert(1);</
script
>
In this case if the content is going to be submitted and used as a standalone page, the implementations would be applicable and running as expected.
I suggest you also checking this screencast, in which I am showing how this filter is affecting the content.
The main purpose for this filter is to prevent harmful scripts to be triggered in the source page or the application, but still retain the implemented logic if such is designed with a purpose and used outside of the content area.
Regards,
Ianko
Telerik
DevCraft Q1'14 is here! Watch the online conference to see how this release solves your top-5 .NET challenges. Watch on demand now.