This is a migrated thread and some comments may be shown as answers.

Cross-site scripting issues with the RadEditor control

4 Answers 115 Views
Editor
This is a migrated thread and some comments may be shown as answers.
Steve Holdorf
Top achievements
Rank 1
Steve Holdorf asked on 08 Aug 2012, 05:08 PM
We work in a very secure enviornment; however, security practices and standards are in place to previent application attacks. We want to use the RadEditor control on one of our web pages but need to know if there may be any issues with cross-site scripting attacks. Can you briefly explain how cross-site scripting is or is not possible with the RadEditor control?

Thanks,


Steve Holdorf

4 Answers, 1 is accepted

Sort by
0
Rumen
Telerik team
answered on 09 Aug 2012, 03:28 PM
Hi,

In general it is not possible to guarantee the safe content by all means, because one real hacker can modify the POST array and go round the RadEditor mechanism - it is partially the developer's task to verify it and strip potentially malicious content - as scenarios regarding what content is considered dangerous or not vary greatly.

What RadEditor does is provide the infrastructure on the client to "hook" and clean content - for example, using content filters.
On the server the editor content can be processed just as Microsoft suggest in their article: Chapter 10 – Building Secure ASP.NET Pages and Controls.

The editor does provide the property RemoveScripts filter that would prevent script tags being submitted with its content.

We prepared a sample content filter to help you started. Please review the code below. It will loop through all elements when going to HTML mode or when submitting content and it will remove a number of potentially dangerous attributes:

Copy Code
<telerik:radeditor runat="server" ID="RadEditor1" OnClientLoad="OnClientLoad">
<Content>
<div onmouseover="alert(1);">test</div>
</Content>
</telerik:radeditor>
<script type="text/javascript">
function OnClientLoad(editor, args)
{
editor.get_filtersManager().add(new MyFilter());
}
MyFilter = function()
{
MyFilter.initializeBase(this);
this.set_isDom(false);
this.set_enabled(true);
this.set_name("RadEditor filter");
this.set_description("RadEditor filter description");
}
MyFilter.prototype =
{
getHtmlContent : function(content)
{
var dom = document.createElement("DIV");
dom.innerHTML = content;
var elems = dom.getElementsByTagName("*");
for (var i=0; i < elems.length; i++)
{
//Remove all onmouseover, onmouseout, onclick eventhandlers from element
var elem = elems[i];
elem.onmouseover = null;
elem.onerror = null;
elem.onclick = null;
}
return dom.innerHTML;
}
}
MyFilter.registerClass('MyFilter', Telerik.Web.UI.Editor.Filter);
</script>


You can further elaborate on the code by checking on href and src attributes, for example (and removing those if they do not meet requirements).


Kind regards,
Rumen
the Telerik team
If you want to get updates on new releases, tips and tricks and sneak peeks at our product labs directly from the developers working on the RadControls for ASP.NET AJAX, subscribe to their blog feed now.
0
Luke
Top achievements
Rank 1
answered on 25 Sep 2013, 12:48 PM
I'm working on a situation where a hacker enters the following into the radEditor in HTML Mode:

 <img alt="" onerror="alert('XSS')" src="x" />
 <script>prompt();</script>

I have set the RemoveScripts filter and added the custom filter to remove the onerror attribute.  However, when I hit "Submit" or change modes the "XSS" alert is still popping up (the <script> was filtered out).  I thought the filter would execute at the same time as the standard filters but that does not seem to be the case.  It appears that the editor is rendering the html before processing it.  Is that correct and if so, how do I intercept the html and filter it beforehand?

I'm using the same custom filter you outlined in the example and I have confirmed that it is being executed.  

Thanks

Luke
0
Accepted
Ianko
Telerik team
answered on 30 Sep 2013, 10:59 AM
Hi Steve,

Note that if you are using the bellow example for the implementation of the custom content filter, you should implement the getDesignContent property in order to trigger the desired logic, when switching to Design view. You could follow this online demo for more information about building your own filters.

You can see an example of the suggested approach in the following setup:
<telerik:RadEditor runat="server" ID="RadEditor1" OnClientLoad="OnClientLoad">
    <Content>
        <div onmouseover="alert(1);">test</div>
    </Content>
</telerik:RadEditor>
 
<script type="text/javascript">
    function OnClientLoad(editor, args) {
        editor.get_filtersManager().add(new MyFilter());
    }
    MyFilter = function () {
        MyFilter.initializeBase(this);
        this.set_isDom(false);
        this.set_enabled(true);
        this.set_name("RadEditor filter");
        this.set_description("RadEditor filter description");
    }
    MyFilter.prototype =
    {
        getHtmlContent: function (content)
        {
            var dom = document.createElement("DIV");
            dom.innerHTML = content;
            var elems = dom.getElementsByTagName("*");
 
            for (var i = 0; i < elems.length; i++)
            {
 
                //Remove all onmouseover, onmouseout, onclick eventhandlers from element
                var elem = elems[i];
                if (elem.hasAttribute("onmouseover")) {
                    elem.setAttribute("onmouseover", "");
                }
                if (elem.hasAttribute("onerror")) {
                    elem.setAttribute("onerror", "");
                }
                if (elem.hasAttribute("onclick")) {
                    elem.setAttribute("onclick", "");
                }
            }
            return dom.innerHTML;
        },
        getDesignContent: function (content)
        {
            var dom = document.createElement("DIV");
            dom.innerHTML = content;
            var elems = dom.getElementsByTagName("*");
 
            for (var i = 0; i < elems.length; i++)
            {
 
                //Remove all onmouseover, onmouseout, onclick eventhandlers from element
                var elem = elems[i];
                if (elem.hasAttribute("onmouseover")) {
                    elem.setAttribute("onmouseover", "");
                }
                if (elem.hasAttribute("onerror")) {
                    elem.setAttribute("onerror", "");
                }
                if (elem.hasAttribute("onclick")) {
                    elem.setAttribute("onclick", "");
                }
            }
            return dom.innerHTML;
 
        }
    }
 
    MyFilter.registerClass('MyFilter', Telerik.Web.UI.Editor.Filter);
 
</script>



Regards,
Ianko
Telerik
If you want to get updates on new releases, tips and tricks and sneak peeks at our product labs directly from the developers working on the RadControls for ASP.NET AJAX, subscribe to the blog feed now.
0
tammy
Top achievements
Rank 1
answered on 29 Jul 2014, 11:38 AM
XSS is actually a way through which cyber criminal can inject malicious script into the victim’s computer.
XSS infection uses various ways to infect your system. For example: posting a link that conation infected URL on Twitter and rest of the task is automatically donned by the Twitter i.e. covering the posted URL moderately. To know how to protect from XSS kindly visit: http://www.fixbrowserthreats.com/xss-attack-remove-xss
 
Tags
Editor
Asked by
Steve Holdorf
Top achievements
Rank 1
Answers by
Rumen
Telerik team
Luke
Top achievements
Rank 1
Ianko
Telerik team
tammy
Top achievements
Rank 1
Share this question
or