You can simply enable the RemoveScripts filter: http://demos.telerik.com/aspnet-ajax/editor/examples/builtincontentfilters/defaultcs.aspx
You can use the Content server property of the RadEditor to obtain the HTML from the control. Then you can remove the strings deemed dangerous by your scenario (e.g. script tags). This has to happen before this content is put in the database, of course, but since the control does not integrate directly with a database the custom code that does this should be easy to find.
The other option is using the OnClientSubmit event
of the control to clean it in the same manner
(see the get_html(true) and set_html() methods from its API
), but this may interfere with the user's interaction with the control. Here is a small example of a couple of regular expressions:
textHtml = textHtml.replace(new RegExp("<(SCRIPT)([^>]*)/>", "ig"), "");
textHtml = textHtml.replace(new RegExp("<(SCRIPT)([^>]*)>[\\s\\S]*?</(SCRIPT)([^>]*)>", "ig"), "");
where textHtml is the content from the editor and this forum thread
can show you how to run a given filter when needed.
Securing the application and making sure no malicious content is stored is the responsibility of the developer, not of the control.
If you want to get updates on new releases, tips and tricks and sneak peeks at our product labs directly from the developers working on the RadControls for ASP.NET AJAX, subscribe to the blog feed