I am attempting to use the Rad Editor for my website and I do NOT want JavaScript to be working, or any type of XSS capabilities.
This is what my declaration looks lik
As you can see: AllowScripts="false" and ContentFilters="RemoveScripts" are both set.
Unfortunately I can still enter in something like:
And it will still do the alert. Every time.
I was then searching around on the telerik site looking for help and ran across the OnClientLoad method of removing items.
I attempted this from a forum post a while back. Unfortunately it doesn't actually fix the issue either. It doesn't remove any of the things that it says it does.
And this is where I am stuck at. Nothing is really working for what it says its doing and I am leaving this for next week. I am just hoping someone points out something that I am perhaps doing wrong and can fix, or I don't know what.
This is what my declaration looks lik
<
telerik:RadEditor
ID
=
"txtContent"
Height
=
"500"
Width
=
"600"
runat
=
"server"
ToolsFile
=
"~/DesktopModules/Admin/RadEditorProvider/Toolsfile/ToolsFileWithUpload.xml"
SpellCheckSettings-AllowAddCustom
=
"false"
SpellCheckSettings-AjaxUrl
=
"/Telerik.Web.UI.SpellCheckHandler.axd"
OnClientLoad
=
"OnClientLoad"
NewLineMode
=
"P"
DialogsCssFile
=
"~/css/TelerikSkin/TelerikSkin.css"
AllowScripts
=
"false"
ContentFilters
=
"RemoveScripts"
>
<
Content
>
</
Content
>
<
CssFiles
>
<
telerik:EditorCssFile
Value
=
"~/css/YellowToken.css"
/>
</
CssFiles
>
<
SpellCheckSettings
AllowAddCustom
=
"False"
AjaxUrl
=
"/Telerik.Web.UI.SpellCheckHandler.axd"
></
SpellCheckSettings
>
</
telerik:RadEditor
>
As you can see: AllowScripts="false" and ContentFilters="RemoveScripts" are both set.
Unfortunately I can still enter in something like:
<script>alert(
'This Is Bad'
);</script>
I was then searching around on the telerik site looking for help and ran across the OnClientLoad method of removing items.
function
OnClientLoad(editor, args) {
editor.get_filtersManager().add(
new
MyFilter());
}
MyFilter =
function
() {
MyFilter.initializeBase(
this
);
this
.set_isDom(
false
);
this
.set_enabled(
true
);
this
.set_name(
"RadEditor filter"
);
this
.set_description(
"RadEditor filter description"
);
}
MyFilter.prototype =
{
getHtmlContent:
function
(content) {
var
dom = document.createElement(
"DIV"
);
dom.innerHTML = content;
var
elems = dom.getElementsByTagName(
"*"
);
for
(
var
i = 0; i < elems.length; i++) {
//Remove all onmouseover, onmouseout, onclick eventhandlers from element
var
elem = elems[i];
if
(elem.hasAttribute(
"onmouseover"
)) {
elem.setAttribute(
"onmouseover"
,
""
);
}
if
(elem.hasAttribute(
"onerror"
)) {
elem.setAttribute(
"onerror"
,
""
);
}
if
(elem.hasAttribute(
"onclick"
)) {
elem.setAttribute(
"onclick"
,
""
);
}
if
(elem.hasAttribute(
"alert"
)) {
elem.setAttribute(
"alert"
,
""
);
}
}
return
dom.innerHTML;
},
getDesignContent:
function
(content) {
var
dom = document.createElement(
"DIV"
);
dom.innerHTML = content;
var
elems = dom.getElementsByTagName(
"*"
);
for
(
var
i = 0; i < elems.length; i++) {
//Remove all onmouseover, onmouseout, onclick eventhandlers from element
var
elem = elems[i];
if
(elem.hasAttribute(
"onmouseover"
)) {
elem.setAttribute(
"onmouseover"
,
""
);
}
if
(elem.hasAttribute(
"onerror"
)) {
elem.setAttribute(
"onerror"
,
""
);
}
if
(elem.hasAttribute(
"onclick"
)) {
elem.setAttribute(
"onclick"
,
""
);
}
if
(elem.hasAttribute(
"alert"
)) {
elem.setAttribute(
"alert"
,
""
);
}
}
return
dom.innerHTML;
}
}
MyFilter.registerClass(
'MyFilter'
, Telerik.Web.UI.Editor.Filter);
I attempted this from a forum post a while back. Unfortunately it doesn't actually fix the issue either. It doesn't remove any of the things that it says it does.
And this is where I am stuck at. Nothing is really working for what it says its doing and I am leaving this for next week. I am just hoping someone points out something that I am perhaps doing wrong and can fix, or I don't know what.