Completed
Last Updated: 26 May 2014 13:43 by Steve
Steve
Created on: 28 Nov 2013 14:36
Category: Editor
Type: Feature Request
0
Radeditor filter for "bad" content
User is able to add this to the radeditor with allowscripts=false...granted not a script but CLEARLY gaming the system.  It shouldn't be up to us to write custom filters to handle these things, it should be native and tested in the editor itself.


<h1>TROLOLOLOLOLOL</h1><meta http-equiv="refresh" content="1;url=http://bit.ly/1bJjrjr" />
<fk></fk>
11 comments
Steve
Posted on: 26 May 2014 13:43
No I understand what you're saying, I'm not at all confused...

But look at this from my perspective.  Every radeditor on every page in every project would need this client code?...common...would you want to re-re-re-re-re-re-re-implement it everywhere?
ADMIN
Rumen
Posted on: 26 May 2014 08:03
Hi Steve,

Let me explain once again that we are ready to implement a malicious content stripping filter, but it should handle more problematic scenarios. Right now we have only this one for the refresh meta tag, which is insufficient. If you or other developers suggest more scenarios, we will gladly add a new filter to the existing list.

In the meantime, there is yet another mean to register a client content filter. The RadEditor OnClientLoad property has a JavaScript equivalent, which allows the developer to set it via the editor.add_load(functionName); Client-side method.

You can get a reference to all RadEditor instances on the page on the client through the $telerik.radControls array, e.g.

if (typeof ($telerik) != "undefined") {
	// this is a collection of all RadControls loaded in to the page
	var controls = $telerik.radControls;
	for (var i = 0, length = controls.length; i < length; i++) {
		var control = controls[i];
		if (control instanceof Telerik.Web.UI.RadEditor) {
		    return control;
		}
	}
}

Best regards,
Rumen
Steve
Posted on: 22 May 2014 14:23
So every radeditor on every site I'd need to add OnClient code...give me a break :/

...and now edit every radeditor template in Sitefinity to add this?
ADMIN
Rumen
Posted on: 22 May 2014 14:02
Hi guys,

The reported behavior by Steve could be easily handled using the advanced custom content filter functionality of RadEditor. Here is an example demonstrating how to strip the page refresh Meta tag:

        <telerik:RadEditor runat="server" ID="RadEditor1" SkinID="DefaultSetOfTools" OnClientLoad="OnClientLoad">
            <Content>
            </Content>
        </telerik:RadEditor>

        <script type="text/javascript">
            function OnClientLoad(editor, args) {
                editor.get_filtersManager().add(new MyFilter());
            }

            MyFilter = function () {
                MyFilter.initializeBase(this);
                this.set_isDom(false);
                this.set_enabled(true);
                this.set_name("RadEditor filter");
                this.set_description("RadEditor filter description");
            }

            MyFilter.prototype = {
                getDesignContent: function (content) {
                    var newContent = content.replace(/(<meta[^>]*?)(http-equiv="refresh")([^>]*?>)/gi, "$1$3");              
                    return newContent;
                }
            }
            MyFilter.registerClass('MyFilter', Telerik.Web.UI.Editor.Filter);
        </script>

The developer could tweak the code further to cover even more problematic scenarios by executing his/her own logic based on regular expression(s) for any malicious tags, attributes and other content.

If you find more problematic scenarios with malicious content, please, report them so that we can decide whether or not to create a new built-in content filter for RadEditor. 

Thank you in advance!

Best regards,
Rumen
Attached Files:
ADMIN
Rumen
Posted on: 19 May 2014 15:45
Yes, the reported issue is valid and we will have it in mind. 

Is there another problematic behavior that you would like to report?
Steve
Posted on: 19 May 2014 13:53
I'm not sure what you mean? Experience was we used a radeditor, someone saved\added the above markup to redirect the page....and it worked
ADMIN
Rumen
Posted on: 19 May 2014 13:43
Right now, the editor offers only a RemoveScript filter that covers the removal of script tags. It does not clean the inline JavaScript attributes for example the onclick one, nor the meta tags.

My request to you is that you share your experience and feedback on this matter, so that we can cover more scenarios by the RemoveScript filter or implement a new better one.
Steve
Posted on: 19 May 2014 12:52
Is there no malicious script handling at all?
ADMIN
Rumen
Posted on: 19 May 2014 12:42
Hi Steve,

The provided code snippet in your first post is perfect, but usually we cover such scenarios with custom content filters? 

In order to create a new built-in filter, we will need to cover more scenarios. Do you know any other scenarios which could be handled by this filter?

Best regards,
Rumen
Steve
Posted on: 19 May 2014 12:02
Put this in a while ago, but I put a snippet in the post
ADMIN
Stamo Gochev
Posted on: 19 May 2014 11:18
Hi Steve,

Can you give us more information on the requested functionality? Do you know other cases where malicious code is inserted in the Editor and its content should be handled with a specific filter? 

A short list of scenarios along with code snippet examples will be very helpful.