This is a migrated thread and some comments may be shown as answers.
RadEditor does NOT block JavaScript
1 Answer 20 Views
This is a migrated thread and some comments may be shown as answers.
Alexander
Top achievements
Rank 1
Alexander asked on 12 Sep 2014, 06:35 PM
I am attempting to use the Rad Editor for my website and I do NOT want JavaScript to be working, or any type of XSS capabilities.

This is what my declaration looks lik
<telerik:RadEditor ID="txtContent" Height="500" Width="600" runat="server" ToolsFile="~/DesktopModules/Admin/RadEditorProvider/Toolsfile/ToolsFileWithUpload.xml"
                SpellCheckSettings-AllowAddCustom="false" SpellCheckSettings-AjaxUrl="/Telerik.Web.UI.SpellCheckHandler.axd" OnClientLoad="OnClientLoad"
                NewLineMode="P" DialogsCssFile="~/css/TelerikSkin/TelerikSkin.css" AllowScripts="false" ContentFilters="RemoveScripts">
                <Content>
                </Content>
                <CssFiles>
                    <telerik:EditorCssFile Value="~/css/YellowToken.css" />
                </CssFiles>
                <SpellCheckSettings AllowAddCustom="False" AjaxUrl="/Telerik.Web.UI.SpellCheckHandler.axd"></SpellCheckSettings>
</telerik:RadEditor>

As you can see: AllowScripts="false" and ContentFilters="RemoveScripts" are both set.
Unfortunately I can still enter in something like:
<script>alert('This Is Bad');</script>
And it will still do the alert. Every time.

I was then searching around on the telerik site looking for help and ran across the OnClientLoad method of removing items.
function OnClientLoad(editor, args) {
                    editor.get_filtersManager().add(new MyFilter());
                }
                MyFilter = function () {
                    MyFilter.initializeBase(this);
                    this.set_isDom(false);
                    this.set_enabled(true);
                    this.set_name("RadEditor filter");
                    this.set_description("RadEditor filter description");
                }
                MyFilter.prototype =
                {
                    getHtmlContent: function (content) {
                        var dom = document.createElement("DIV");
                        dom.innerHTML = content;
                        var elems = dom.getElementsByTagName("*");
 
                        for (var i = 0; i < elems.length; i++) {
 
                            //Remove all onmouseover, onmouseout, onclick eventhandlers from element
                            var elem = elems[i];
                            if (elem.hasAttribute("onmouseover")) {
                                elem.setAttribute("onmouseover", "");
                            }
                            if (elem.hasAttribute("onerror")) {
                                elem.setAttribute("onerror", "");
                            }
                            if (elem.hasAttribute("onclick")) {
                                elem.setAttribute("onclick", "");
                            }
                            if (elem.hasAttribute("alert")) {
                                elem.setAttribute("alert", "");
                            }
                        }
                        return dom.innerHTML;
                    },
                    getDesignContent: function (content) {
                        var dom = document.createElement("DIV");
                        dom.innerHTML = content;
                        var elems = dom.getElementsByTagName("*");
 
                        for (var i = 0; i < elems.length; i++) {
 
                            //Remove all onmouseover, onmouseout, onclick eventhandlers from element
                            var elem = elems[i];
                            if (elem.hasAttribute("onmouseover")) {
                                elem.setAttribute("onmouseover", "");
                            }
                            if (elem.hasAttribute("onerror")) {
                                elem.setAttribute("onerror", "");
                            }
                            if (elem.hasAttribute("onclick")) {
                                elem.setAttribute("onclick", "");
                            }
                            if (elem.hasAttribute("alert")) {
                                elem.setAttribute("alert", "");
                            }
                        }
                        return dom.innerHTML;
 
                    }
                }
 
                MyFilter.registerClass('MyFilter', Telerik.Web.UI.Editor.Filter);

I attempted this from a forum post a while back. Unfortunately it doesn't actually fix the issue either. It doesn't remove any of the things that it says it does.

And this is where I am stuck at. Nothing is really working for what it says its doing and I am leaving this for next week. I am just hoping someone points out something that I am perhaps doing wrong and can fix, or I don't know what.

1 Answer, 1 is accepted

Sort by
0
Alexander
Top achievements
Rank 1
answered on 15 Sep 2014, 06:23 PM
I found the issue that was causing the javascript to go through.

Whenever I was saving the information, I wasn't doing a Server.HtmlEncode() around the content. After I did this it seemed to work properly. 
Asked by
Alexander
Top achievements
Rank 1
Answers by
Alexander
Top achievements
Rank 1
Share this question
or