This is a migrated thread and some comments may be shown as answers.

Bug With RadEditor

2 Answers 105 Views
Editor
This is a migrated thread and some comments may be shown as answers.
kc
Top achievements
Rank 1
kc asked on 26 Jan 2009, 04:29 PM
Hi,
We are using the RadEditor and are trying to prevent users from entering <script> tags while in HTML mode.
We have used the RemoveScripts filter on the control however it doesnt seem to prevent the XSS being saved.
When we read the data from the control the script code is still present.
Many thanks
Kevin

2 Answers, 1 is accepted

Sort by
0
Svetlina Anati
Telerik team
answered on 27 Jan 2009, 09:30 AM

Hello kc,

By default, RadEditor strips all <script> tags in its content area to reduce the possibility of cross-site scripting and other script-related problems. As to stripping the HTML inline event attributes (for example onclick, onmouseover, etc) when submitting the content you can do this through code both on the server and on the client.

The client-side solution is based on client side content filter and demonstrates how to strip the onclick, onmouseover and mouseout attributes. You can enhance it to strip as much as you want attributes. Here it is:

<script type="text/javascript">     
    function OnClientLoad(editor, args)  
    {  
       editor.get_filtersManager().add(new MyFilter());  
    }  
    MyFilter = function()  
    {  
       MyFilter.initializeBase(this);  
       this.set_isDom(false);  
       this.set_enabled(true);  
       this.set_name("RadEditor filter");  
       this.set_description("RadEditor filter description");  
    }  
    MyFilter.prototype =  
    {  
       getHtmlContent : function(content)  
       {  
         var dom = document.createElement("DIV");     
             dom.innerHTML = content;     
                 
             var elems = dom.getElementsByTagName("*");     
             for (var i=0; i < elems.length; i++)     
             {     
                //Remove all onmouseover, onmouseout, onclick eventhandlers from element           
                var elem = elems[i];     
                elem.onmouseover = null;     
                elem.onmouseout = null;     
                elem.onclick = null;     
             }                      
             return dom.innerHTML;      
       }  
    }  
    MyFilter.registerClass('MyFilter', Telerik.Web.UI.Editor.Filter);  
    </script>     
 
<telerik:radeditor runat="server" OnClientLoad="OnClientLoad" ID="RadEditor1">  
    <Content>  
        <span onclick="alert(1)">sample content</span><br/>  
                <span onmouseout="alert(1)">sample content</span><br/>  
                        <span onmouseover="alert(1)">sample content</span>  
    </Content>  
</telerik:radeditor>  
 

   
On the server you can strip or replace strings using the RadEditor1.Content.Replace("onclick", "") method.

The content area of the editor is editable IFRAME element, which cannot run and execute server scripts so you should don't worry about server-side related problems.

Kind regards,

Svetlina
the Telerik team

Check out Telerik Trainer, the state of the art learning tool for Telerik products.
0
Svetlina Anati
Telerik team
answered on 27 Jan 2009, 09:30 AM

Hello kc,

By default, RadEditor strips all <script> tags in its content area to reduce the possibility of cross-site scripting and other script-related problems. As to stripping the HTML inline event attributes (for example onclick, onmouseover, etc) when submitting the content you can do this through code both on the server and on the client.

The client-side solution is based on client side content filter and demonstrates how to strip the onclick, onmouseover and mouseout attributes. You can enhance it to strip as much as you want attributes. Here it is:

<script type="text/javascript">     
    function OnClientLoad(editor, args)  
    {  
       editor.get_filtersManager().add(new MyFilter());  
    }  
    MyFilter = function()  
    {  
       MyFilter.initializeBase(this);  
       this.set_isDom(false);  
       this.set_enabled(true);  
       this.set_name("RadEditor filter");  
       this.set_description("RadEditor filter description");  
    }  
    MyFilter.prototype =  
    {  
       getHtmlContent : function(content)  
       {  
         var dom = document.createElement("DIV");     
             dom.innerHTML = content;     
                 
             var elems = dom.getElementsByTagName("*");     
             for (var i=0; i < elems.length; i++)     
             {     
                //Remove all onmouseover, onmouseout, onclick eventhandlers from element           
                var elem = elems[i];     
                elem.onmouseover = null;     
                elem.onmouseout = null;     
                elem.onclick = null;     
             }                      
             return dom.innerHTML;      
       }  
    }  
    MyFilter.registerClass('MyFilter', Telerik.Web.UI.Editor.Filter);  
    </script>     
 
<telerik:radeditor runat="server" OnClientLoad="OnClientLoad" ID="RadEditor1">  
    <Content>  
        <span onclick="alert(1)">sample content</span><br/>  
                <span onmouseout="alert(1)">sample content</span><br/>  
                        <span onmouseover="alert(1)">sample content</span>  
    </Content>  
</telerik:radeditor>  
 

   
On the server you can strip or replace strings using the RadEditor1.Content.Replace("onclick", "") method.

The content area of the editor is editable IFRAME element, which cannot run and execute server scripts so you should don't worry about server-side related problems.

Kind regards,

Svetlina
the Telerik team

Check out Telerik Trainer, the state of the art learning tool for Telerik products.
Tags
Editor
Asked by
kc
Top achievements
Rank 1
Answers by
Svetlina Anati
Telerik team
Share this question
or