1 Answer, 1 is accepted
Hello Roland,
We intentionally strip the event onclick attributes when you paste HTML in the Editor for security reasons. If the users of your application are able to add click handlers (or other events) that could potentially cause security vulnerabilities that stem from our Editor component. That is why we would not want to allow such attributes.
I hope that gives you a good understanding of why we chose to take that route and strip such attributes.
Regards,
Svetoslav Dimitrov
Progress Telerik
Virtual Classroom, the free self-paced technical training that gets you up to speed with Telerik and Kendo UI products quickly just got a fresh new look + new and improved content including a brand new Blazor course! Check it out at https://learn.telerik.com/.
Rank 3
Iron
Iron
Veteran
"That is why we would not want to allow such attributes"
Nor do I, unless I trust the user. I wanted the admins of the app to have full control. The rest does not even get the ViewHtml control. So it would have been better if there was an opt in for "no filtering".
But I found a workaround. I can construct a valid tag with all needed information that the Editor accepts and that I can morph into the correct <a> tag with onclick handler before the browser sees it.