We are using the RadEditor and are trying to prevent users from entering <script> tags while in HTML mode.
We have used the RemoveScripts filter on the control however it doesnt seem to prevent the XSS being saved.
When we read the data from the control the script code is still present.
Many thanks
Kevin
2 Answers, 1 is accepted
Hello kc,
By default, RadEditor strips all <script> tags in its content area to reduce the possibility of cross-site scripting and other script-related problems. As to stripping the HTML inline event attributes (for example onclick, onmouseover, etc) when submitting the content you can do this through code both on the server and on the client.
The client-side solution is based on client side content filter and demonstrates how to strip the onclick, onmouseover and mouseout attributes. You can enhance it to strip as much as you want attributes. Here it is:
<script type="text/javascript">
function OnClientLoad(editor, args)
{
editor.get_filtersManager().add(new MyFilter());
}
MyFilter = function()
{
MyFilter.initializeBase(this);
this.set_isDom(false);
this.set_enabled(true);
this.set_name("RadEditor filter");
this.set_description("RadEditor filter description");
}
MyFilter.prototype =
{
getHtmlContent : function(content)
{
var dom = document.createElement("DIV");
dom.innerHTML = content;
var elems = dom.getElementsByTagName("*");
for (var i=0; i < elems.length; i++)
{
//Remove all onmouseover, onmouseout, onclick eventhandlers from element
var elem = elems[i];
elem.onmouseover = null;
elem.onmouseout = null;
elem.onclick = null;
}
return dom.innerHTML;
}
}
MyFilter.registerClass('MyFilter', Telerik.Web.UI.Editor.Filter);
</script>
<telerik:radeditor runat="server" OnClientLoad="OnClientLoad" ID="RadEditor1">
<Content>
<span onclick="alert(1)">sample content</span><br/>
<span onmouseout="alert(1)">sample content</span><br/>
<span onmouseover="alert(1)">sample content</span>
</Content>
</telerik:radeditor>
On the server you can strip or replace strings using the RadEditor1.Content.Replace("onclick", "") method.
The content area of the editor is editable IFRAME element, which cannot run and execute server scripts so you should don't worry about server-side related problems.
Kind regards,
Svetlinathe Telerik team
Check out Telerik Trainer, the state of the art learning tool for Telerik products.
Hello kc,
By default, RadEditor strips all <script> tags in its content area to reduce the possibility of cross-site scripting and other script-related problems. As to stripping the HTML inline event attributes (for example onclick, onmouseover, etc) when submitting the content you can do this through code both on the server and on the client.
The client-side solution is based on client side content filter and demonstrates how to strip the onclick, onmouseover and mouseout attributes. You can enhance it to strip as much as you want attributes. Here it is:
<script type="text/javascript">
function OnClientLoad(editor, args)
{
editor.get_filtersManager().add(new MyFilter());
}
MyFilter = function()
{
MyFilter.initializeBase(this);
this.set_isDom(false);
this.set_enabled(true);
this.set_name("RadEditor filter");
this.set_description("RadEditor filter description");
}
MyFilter.prototype =
{
getHtmlContent : function(content)
{
var dom = document.createElement("DIV");
dom.innerHTML = content;
var elems = dom.getElementsByTagName("*");
for (var i=0; i < elems.length; i++)
{
//Remove all onmouseover, onmouseout, onclick eventhandlers from element
var elem = elems[i];
elem.onmouseover = null;
elem.onmouseout = null;
elem.onclick = null;
}
return dom.innerHTML;
}
}
MyFilter.registerClass('MyFilter', Telerik.Web.UI.Editor.Filter);
</script>
<telerik:radeditor runat="server" OnClientLoad="OnClientLoad" ID="RadEditor1">
<Content>
<span onclick="alert(1)">sample content</span><br/>
<span onmouseout="alert(1)">sample content</span><br/>
<span onmouseover="alert(1)">sample content</span>
</Content>
</telerik:radeditor>
On the server you can strip or replace strings using the RadEditor1.Content.Replace("onclick", "") method.
The content area of the editor is editable IFRAME element, which cannot run and execute server scripts so you should don't worry about server-side related problems.
Kind regards,
Svetlinathe Telerik team
Check out Telerik Trainer, the state of the art learning tool for Telerik products.