I am attempting to use the Rad Editor for my website and I do NOT want JavaScript to be working, or any type of XSS capabilities.
This is what my declaration looks lik
As you can see: AllowScripts="false" and ContentFilters="RemoveScripts" are both set.
Unfortunately I can still enter in something like:
And it will still do the alert. Every time.
I was then searching around on the telerik site looking for help and ran across the OnClientLoad method of removing items.
I attempted this from a forum post a while back. Unfortunately it doesn't actually fix the issue either. It doesn't remove any of the things that it says it does.
And this is where I am stuck at. Nothing is really working for what it says its doing and I am leaving this for next week. I am just hoping someone points out something that I am perhaps doing wrong and can fix, or I don't know what.
This is what my declaration looks lik
<telerik:RadEditor ID="txtContent" Height="500" Width="600" runat="server" ToolsFile="~/DesktopModules/Admin/RadEditorProvider/Toolsfile/ToolsFileWithUpload.xml" SpellCheckSettings-AllowAddCustom="false" SpellCheckSettings-AjaxUrl="/Telerik.Web.UI.SpellCheckHandler.axd" OnClientLoad="OnClientLoad" NewLineMode="P" DialogsCssFile="~/css/TelerikSkin/TelerikSkin.css" AllowScripts="false" ContentFilters="RemoveScripts"> <Content> </Content> <CssFiles> <telerik:EditorCssFile Value="~/css/YellowToken.css" /> </CssFiles> <SpellCheckSettings AllowAddCustom="False" AjaxUrl="/Telerik.Web.UI.SpellCheckHandler.axd"></SpellCheckSettings></telerik:RadEditor>As you can see: AllowScripts="false" and ContentFilters="RemoveScripts" are both set.
Unfortunately I can still enter in something like:
<script>alert('This Is Bad');</script>I was then searching around on the telerik site looking for help and ran across the OnClientLoad method of removing items.
function OnClientLoad(editor, args) { editor.get_filtersManager().add(new MyFilter()); } MyFilter = function () { MyFilter.initializeBase(this); this.set_isDom(false); this.set_enabled(true); this.set_name("RadEditor filter"); this.set_description("RadEditor filter description"); } MyFilter.prototype = { getHtmlContent: function (content) { var dom = document.createElement("DIV"); dom.innerHTML = content; var elems = dom.getElementsByTagName("*"); for (var i = 0; i < elems.length; i++) { //Remove all onmouseover, onmouseout, onclick eventhandlers from element var elem = elems[i]; if (elem.hasAttribute("onmouseover")) { elem.setAttribute("onmouseover", ""); } if (elem.hasAttribute("onerror")) { elem.setAttribute("onerror", ""); } if (elem.hasAttribute("onclick")) { elem.setAttribute("onclick", ""); } if (elem.hasAttribute("alert")) { elem.setAttribute("alert", ""); } } return dom.innerHTML; }, getDesignContent: function (content) { var dom = document.createElement("DIV"); dom.innerHTML = content; var elems = dom.getElementsByTagName("*"); for (var i = 0; i < elems.length; i++) { //Remove all onmouseover, onmouseout, onclick eventhandlers from element var elem = elems[i]; if (elem.hasAttribute("onmouseover")) { elem.setAttribute("onmouseover", ""); } if (elem.hasAttribute("onerror")) { elem.setAttribute("onerror", ""); } if (elem.hasAttribute("onclick")) { elem.setAttribute("onclick", ""); } if (elem.hasAttribute("alert")) { elem.setAttribute("alert", ""); } } return dom.innerHTML; } } MyFilter.registerClass('MyFilter', Telerik.Web.UI.Editor.Filter);I attempted this from a forum post a while back. Unfortunately it doesn't actually fix the issue either. It doesn't remove any of the things that it says it does.
And this is where I am stuck at. Nothing is really working for what it says its doing and I am leaving this for next week. I am just hoping someone points out something that I am perhaps doing wrong and can fix, or I don't know what.
1 Answer, 1 is accepted
0
Alexander
Top achievements
Rank 1
Rank 1
answered on 15 Sep 2014, 06:23 PM
I found the issue that was causing the javascript to go through.
Whenever I was saving the information, I wasn't doing a Server.HtmlEncode() around the content. After I did this it seemed to work properly.
Whenever I was saving the information, I wasn't doing a Server.HtmlEncode() around the content. After I did this it seemed to work properly.