Potential security vulnerability when using the Telerik RadEditor

2 posts, 0 answers
  1. Евгений
    Евгений avatar
    2 posts
    Member since:
    Jan 2016

    Posted 12 Sep Link to this post

    Hi guys,

    One of the options of the RadEditor is an option to create links using UI (see the attached screenshot RedEditorVulnerability.jpg)

    Here is an option to open a new tab when clicking this link on a front-end site.

    What I've recently found is this article with an example https://dev.to/ben/the-targetblank-vulnerability-by-example which says that using the "target=_blank" is a potential security hole for any site in any browser for now. Also there are some suggestions regarding on how to prevent this (by adding the rel="noopener noreferrer" attribute to a link).

    So I'd like to ask you to add a possibility in the Hyperlink Manager to secure such links (e.g. some kind of checkbox "Protect my link from the target=_blank vulnerability").

    This functionality will be very helpful for those clients who are focused on their sites' security.

    Thank you!

     

  2. Ianko
    Admin
    Ianko avatar
    1535 posts

    Posted 13 Sep Link to this post

    Hello,

    Thank you for the useful feedback. Typically, the proper channel to suggest features and improvements is our feedback portal: http://feedback.telerik.com/Project/108/

    I can agree at some extent that such a feature would be nice. However, it is rather the developer's responsibility to make sure that such security vulnerabilities are handled properly. The RadEditor, as a component, can enable you to further tweak it so to have always these attributes in the anchor tags.

    This should be programmatically achieved using client-side and/or server-side code to ensure that the rel attribute is configured as per to the application's security requirements. Having options for that in the Hyperlink Manager could cause unneeded confusion among end users that does not have so advanced knowledge on HTML and the security vulnerabilities of this attribute. 

    Here you are some possible options to handle the case:

    If you have any further concerns, ideas or suggestions, please make sure to post them in our feedback portal with further technical details so that the dev team can evaluate them and consider them for the roadmap of RadEditor.

    Regards,
    Ianko
    Telerik by Progress
    Do you need help with upgrading your ASP.NET AJAX, WPF or WinForms projects? Check the Telerik API Analyzer and share your thoughts.
  3. UI for ASP.NET Ajax is Ready for VS 2017
Back to Top