This is a migrated thread and some comments may be shown as answers.

Editor ContentFilters not working as expected

1 Answer 184 Views
Editor
This is a migrated thread and some comments may be shown as answers.
Nicholas
Top achievements
Rank 1
Nicholas asked on 09 Dec 2015, 04:29 PM

I'm having an issue where, as far as I can tell, the ContentFilters aren't working.  For my test content, I'm using:

<p onclick="alert('p-fired')">test text</p>
<script>
alert("fired");
</script>

My editor declaration looks like this:

<telerik:RadEditor runat="server" ID="reNewComment" ContentAreaMode="Div" StripFormattingOnPaste="MSWord,ConvertWordLists,Css"
                            Width="100%" ToolTip="New Comment" Height="300px" EnableResize="True" AllowScripts="False"
                            ContentFilters="StripDomEventAttributes,StripCssExpressions,RemoveScripts" EditModes="Design">

Now, my text is reaching the server as:

&lt;p onclick="alert('p-fired')"&gt;test text&lt;/p&gt;
&lt;script&gt;
alert("fired");
&lt;/script&gt;

This is getting saved this way, and when the page is reloaded both events work.  Am I declaring my content filters incorrectly?  I figured they would strip out the script stuff client side, before reaching the server.  Any help is appreciated, thanks.

 

1 Answer, 1 is accepted

Sort by
0
Ianko
Telerik team
answered on 11 Dec 2015, 09:46 AM
Hi Nicholas,

I already replied you to this question in the ticket opened to us. You can refer ti my answer there. I suggest you continuing the conversation in the ticket thread.  


For anyone else interested in the matter:

In Design mode, pasting HTML is inserted as plain text not as HTML markup. Therefore, any harmful code is encoded automatically and scripts are neither functional, nor compiled by the browser. 

The prevent mechanisms documented here (http://docs.telerik.com/devtools/aspnet-ajax/controls/editor/managing-content/prevent-cross-site-scripting-(xss)) are relevant for script injections. 

With only Design mode on, this is testable by either using automated scripts, the browser's dev toolbar or the browser's console. More information is available here— https://www.google.com/about/appsecurity/learning/xss/.

Regards,
Ianko
Telerik
Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
Tags
Editor
Asked by
Nicholas
Top achievements
Rank 1
Answers by
Ianko
Telerik team
Share this question
or