RadEditor does NOT block JavaScript

2 posts, 0 answers
  1. Alexander
    Alexander avatar
    67 posts
    Member since:
    Jun 2014

    Posted 12 Sep 2014 Link to this post

    I am attempting to use the Rad Editor for my website and I do NOT want JavaScript to be working, or any type of XSS capabilities.

    This is what my declaration looks lik
    <telerik:RadEditor ID="txtContent" Height="500" Width="600" runat="server" ToolsFile="~/DesktopModules/Admin/RadEditorProvider/Toolsfile/ToolsFileWithUpload.xml"
                    SpellCheckSettings-AllowAddCustom="false" SpellCheckSettings-AjaxUrl="/Telerik.Web.UI.SpellCheckHandler.axd" OnClientLoad="OnClientLoad"
                    NewLineMode="P" DialogsCssFile="~/css/TelerikSkin/TelerikSkin.css" AllowScripts="false" ContentFilters="RemoveScripts">
                    <Content>
                    </Content>
                    <CssFiles>
                        <telerik:EditorCssFile Value="~/css/YellowToken.css" />
                    </CssFiles>
                    <SpellCheckSettings AllowAddCustom="False" AjaxUrl="/Telerik.Web.UI.SpellCheckHandler.axd"></SpellCheckSettings>
    </telerik:RadEditor>

    As you can see: AllowScripts="false" and ContentFilters="RemoveScripts" are both set.
    Unfortunately I can still enter in something like:
    <script>alert('This Is Bad');</script>
    And it will still do the alert. Every time.

    I was then searching around on the telerik site looking for help and ran across the OnClientLoad method of removing items.
    function OnClientLoad(editor, args) {
                        editor.get_filtersManager().add(new MyFilter());
                    }
                    MyFilter = function () {
                        MyFilter.initializeBase(this);
                        this.set_isDom(false);
                        this.set_enabled(true);
                        this.set_name("RadEditor filter");
                        this.set_description("RadEditor filter description");
                    }
                    MyFilter.prototype =
                    {
                        getHtmlContent: function (content) {
                            var dom = document.createElement("DIV");
                            dom.innerHTML = content;
                            var elems = dom.getElementsByTagName("*");
     
                            for (var i = 0; i < elems.length; i++) {
     
                                //Remove all onmouseover, onmouseout, onclick eventhandlers from element
                                var elem = elems[i];
                                if (elem.hasAttribute("onmouseover")) {
                                    elem.setAttribute("onmouseover", "");
                                }
                                if (elem.hasAttribute("onerror")) {
                                    elem.setAttribute("onerror", "");
                                }
                                if (elem.hasAttribute("onclick")) {
                                    elem.setAttribute("onclick", "");
                                }
                                if (elem.hasAttribute("alert")) {
                                    elem.setAttribute("alert", "");
                                }
                            }
                            return dom.innerHTML;
                        },
                        getDesignContent: function (content) {
                            var dom = document.createElement("DIV");
                            dom.innerHTML = content;
                            var elems = dom.getElementsByTagName("*");
     
                            for (var i = 0; i < elems.length; i++) {
     
                                //Remove all onmouseover, onmouseout, onclick eventhandlers from element
                                var elem = elems[i];
                                if (elem.hasAttribute("onmouseover")) {
                                    elem.setAttribute("onmouseover", "");
                                }
                                if (elem.hasAttribute("onerror")) {
                                    elem.setAttribute("onerror", "");
                                }
                                if (elem.hasAttribute("onclick")) {
                                    elem.setAttribute("onclick", "");
                                }
                                if (elem.hasAttribute("alert")) {
                                    elem.setAttribute("alert", "");
                                }
                            }
                            return dom.innerHTML;
     
                        }
                    }
     
                    MyFilter.registerClass('MyFilter', Telerik.Web.UI.Editor.Filter);

    I attempted this from a forum post a while back. Unfortunately it doesn't actually fix the issue either. It doesn't remove any of the things that it says it does.

    And this is where I am stuck at. Nothing is really working for what it says its doing and I am leaving this for next week. I am just hoping someone points out something that I am perhaps doing wrong and can fix, or I don't know what.
  2. Alexander
    Alexander avatar
    67 posts
    Member since:
    Jun 2014

    Posted 15 Sep 2014 in reply to Alexander Link to this post

    I found the issue that was causing the javascript to go through.

    Whenever I was saving the information, I wasn't doing a Server.HtmlEncode() around the content. After I did this it seemed to work properly. 
  3. UI for ASP.NET Ajax is Ready for VS 2017
Back to Top