This is a migrated thread and some comments may be shown as answers.

Potential security vulnerability when using the Telerik RadEditor

1 Answer 283 Views
Editor
This is a migrated thread and some comments may be shown as answers.
Евгений
Top achievements
Rank 1
Евгений asked on 12 Sep 2016, 08:49 AM

Hi guys,

One of the options of the RadEditor is an option to create links using UI (see the attached screenshot RedEditorVulnerability.jpg)

Here is an option to open a new tab when clicking this link on a front-end site.

What I've recently found is this article with an example https://dev.to/ben/the-targetblank-vulnerability-by-example which says that using the "target=_blank" is a potential security hole for any site in any browser for now. Also there are some suggestions regarding on how to prevent this (by adding the rel="noopener noreferrer" attribute to a link).

So I'd like to ask you to add a possibility in the Hyperlink Manager to secure such links (e.g. some kind of checkbox "Protect my link from the target=_blank vulnerability").

This functionality will be very helpful for those clients who are focused on their sites' security.

Thank you!

 

1 Answer, 1 is accepted

Sort by
0
Ianko
Telerik team
answered on 13 Sep 2016, 12:12 PM

Hello,

Thank you for the useful feedback. Typically, the proper channel to suggest features and improvements is our feedback portal: http://feedback.telerik.com/Project/108/

I can agree at some extent that such a feature would be nice. However, it is rather the developer's responsibility to make sure that such security vulnerabilities are handled properly. The RadEditor, as a component, can enable you to further tweak it so to have always these attributes in the anchor tags.

This should be programmatically achieved using client-side and/or server-side code to ensure that the rel attribute is configured as per to the application's security requirements. Having options for that in the Hyperlink Manager could cause unneeded confusion among end users that does not have so advanced knowledge on HTML and the security vulnerabilities of this attribute. 

Here you are some possible options to handle the case:

If you have any further concerns, ideas or suggestions, please make sure to post them in our feedback portal with further technical details so that the dev team can evaluate them and consider them for the roadmap of RadEditor.

Regards,
Ianko
Telerik by Progress
Do you need help with upgrading your ASP.NET AJAX, WPF or WinForms projects? Check the Telerik API Analyzer and share your thoughts.
Tags
Editor
Asked by
Евгений
Top achievements
Rank 1
Answers by
Ianko
Telerik team
Share this question
or