Script execution occurs when switching between modes despite StripDomEventAttributes being enabled

Progress® Telerik® UI for ASP.NET AJAX Feedback Portal

Create an account Log In

Back to Feed

Request a Feature Report a Bug

In Development

Last Updated: 20 Oct 2025 13:59 by ADMIN

Scheduled for 2025 Q4 (Nov)

rumen jekov

Created on: 20 Oct 2025 13:58

Category: Editor

Type: Bug Report

Script execution occurs when switching between modes despite StripDomEventAttributes being enabled

When using RadEditor with the StripDomEventAttributes content filter enabled, script execution can still occur when switching from HTML to Design mode.

Certain HTML and SVG elements containing attributes such as onload, onclick, or href/to values that start with javascript: are not fully sanitized before the editor’s content is rendered in Design view. As a result, embedded script code can run during the mode transition even though the anti-script filter is active.

Reproduction steps:

Add a RadEditor with the default filters:

<telerik:RadEditor runat="server" ID="RadEditor1"
ContentFilters="DefaultFilters,StripDomEventAttributes">
</telerik:RadEditor>

Load the page.
Switch the editor to HTML mode.
Paste any of the following samples (look below)
Switch to Design view
Watch alerts

<svg/onload=alert(1)><svg>
<svg
onload=alert(1)><svg> # newline char
<svg	onload=alert(1)><svg> # tab char
<svgonload=alert(1)><svg> # new page char (0xc)