Hi Steve,

Let me explain once again that we are ready to implement a malicious content stripping filter, but it should handle more problematic scenarios. Right now we have only this one for the refresh meta tag, which is insufficient. If you or other developers suggest more scenarios, we will gladly add a new filter to the existing list.

In the meantime, there is yet another mean to register a client content filter. The RadEditor OnClientLoad property has a JavaScript equivalent, which allows the developer to set it via the editor.add_load(functionName); Client-side method.

You can get a reference to all RadEditor instances on the page on the client through the $telerik.radControls array, e.g.

if (typeof ($telerik) != "undefined") {
	// this is a collection of all RadControls loaded in to the page
	var controls = $telerik.radControls;
	for (var i = 0, length = controls.length; i < length; i++) {
		var control = controls[i];
		if (control instanceof Telerik.Web.UI.RadEditor) {
		    return control;
		}
	}
}

Best regards,
Rumen

Hi guys,

The reported behavior by Steve could be easily handled using the advanced custom content filter functionality of RadEditor. Here is an example demonstrating how to strip the page refresh Meta tag:

        <telerik:RadEditor runat="server" ID="RadEditor1" SkinID="DefaultSetOfTools" OnClientLoad="OnClientLoad">
            <Content>
            </Content>
        </telerik:RadEditor>

        <script type="text/javascript">
            function OnClientLoad(editor, args) {
                editor.get_filtersManager().add(new MyFilter());
            }

            MyFilter = function () {
                MyFilter.initializeBase(this);
                this.set_isDom(false);
                this.set_enabled(true);
                this.set_name("RadEditor filter");
                this.set_description("RadEditor filter description");
            }

            MyFilter.prototype = {
                getDesignContent: function (content) {
                    var newContent = content.replace(/(<meta[^>]*?)(http-equiv="refresh")([^>]*?>)/gi, "$1$3");              
                    return newContent;
                }
            }
            MyFilter.registerClass('MyFilter', Telerik.Web.UI.Editor.Filter);
        </script>

The developer could tweak the code further to cover even more problematic scenarios by executing his/her own logic based on regular expression(s) for any malicious tags, attributes and other content.

If you find more problematic scenarios with malicious content, please, report them so that we can decide whether or not to create a new built-in content filter for RadEditor. 

Thank you in advance!

Best regards,
Rumen

Yes, the reported issue is valid and we will have it in mind. 

Is there another problematic behavior that you would like to report?

Right now, the editor offers only a RemoveScript filter that covers the removal of script tags. It does not clean the inline JavaScript attributes for example the onclick one, nor the meta tags.

My request to you is that you share your experience and feedback on this matter, so that we can cover more scenarios by the RemoveScript filter or implement a new better one.

Hi Steve,

The provided code snippet in your first post is perfect, but usually we cover such scenarios with custom content filters? 

In order to create a new built-in filter, we will need to cover more scenarios. Do you know any other scenarios which could be handled by this filter?

Best regards,
Rumen

Hi Steve,

Can you give us more information on the requested functionality? Do you know other cases where malicious code is inserted in the Editor and its content should be handled with a specific filter? 

A short list of scenarios along with code snippet examples will be very helpful.