StripCssExpressions content filter breaks on linebreak

Progress® Telerik® UI for ASP.NET AJAX Feedback Portal

Create an account Log In

Back to Feed

Request a Feature Report a Bug

Completed

Last Updated: 16 Feb 2022 16:33 by ADMIN

Release R1 2022 SP1

Peter

Created on: 15 Feb 2022 16:06

Category: Editor

Type: Bug Report

StripCssExpressions content filter breaks on linebreak

Hi,

when using the StripCssExpressions Content Filter, it's working as expected in most cases, but when there's a linebreak inside of the style it breaks.

For example, the content filters used in a RadEditor control would be:

<telerik:RadEditor ContentFilters="RemoveScripts,StripCssExpressions,StripDomEventAttributes" />

This works for (expression gets filtered out as expected)

<span style="width: expression((document.body.offsetWidth / 4 + 30) + 'px'); background-color: green;">text in a span</span>

This doesn't work for (expression remains)

<span style="width: 
expression((document.body.offsetWidth / 4 + 30) + 'px'); background-color: green;">text in a span</span>

The usage for the content filter is to prevent XSS attacks, and in our solution used besides several other means to avoid malicious code execution.

As expected, the filter not working is a security risk.

Does anyone have a good workaround available? (or is there a timeline on an official bugfix?)

5 comments

ADMIN

Rumen

Posted on: 16 Feb 2022 14:54

I agree with you that the client-side validation can be easily skipped by altering the form data for example using the DevTools, Fiddler, Burp, or another similar tool and server-side stripping is among the best practices for every developer.

I have good news that we found that reason for the problem and the StripCssExpressions will strip the CSS expression spanned across two lines in the next R1 2022 SP1 release:

I also converted the forum thread to a bug report in the AJAX feedback portal.

Peter

Posted on: 16 Feb 2022 10:43

When it comes to security issues, you have to work a bit more outside of the box. I can happily inject css expressions into the demo and it doesn't strip them.

The easiest way to do this without intercepting the request (using fiddler or other similar tools), is by using the devtools of your browser, and editing the raw html in the element (as seen in the screenshot below).

On the controls I'm using I've also added a decent amount of serverside filtering to prevent code injection, but this one slipped through the cracks since initial testing (without linebreaks) showed promising results.

ADMIN

Rumen

Posted on: 16 Feb 2022 10:14

My test shows that the ConvertFontToSpan does strip the XSS. For your convenience, I recorded a short video demonstrating the solution: http://youtu.be/hazo3v-GZVw?hd=1.

I tested the following demo in the video - https://demos.telerik.com/aspnet-ajax/editor/examples/builtincontentfilters/defaultcs.aspx.

We will also review the code of the StripCssExpressions filter and write back with more information once we get a solution.

Peter

Posted on: 16 Feb 2022 08:56

Hi,

I wasn't sure adding a ConvertFontToSpan filter would resolve an XSS enabling bug in the StripCssExpressions filter, but just in case I did a quick test. It does not fix the problem.

To be clear, the shown example with a css expression in a span style is just that, an example. You can break the StripCssExpressions filter in any style attribute with a linebreak.

ADMIN

Rumen

Posted on: 16 Feb 2022 08:17

Hi Peter,

Can you enable the ConvertFontToSpan filter

<telerik:RadEditor ContentFilters="ConvertFontToSpan,RemoveScripts,StripCssExpressions,StripDomEventAttributes" />

This should fix the problem.