StripJavaScriptUris filter incorrectly strips base64-encoded image data URIs

Progress® Telerik® UI for ASP.NET AJAX Feedback Portal

Create an account Log In

Back to Feed

Request a Feature Report a Bug

Completed

Last Updated: 01 Dec 2025 12:57 by ADMIN

Release 2025 Q4 SP1

n/a

Created on: 01 Dec 2025 11:22

Category: Editor

Type: Feature Request

StripJavaScriptUris filter incorrectly strips base64-encoded image data URIs

The newly introduced StripJavaScriptUris security filter is incorrectly identifying and removing legitimate base64-encoded image data URIs (e.g., data:image/png;base64,...) from RadEditor content. The filter treats these safe image URIs as potential XSS threats and strips them along with dangerous JavaScript URIs.

1 comment

ADMIN

Rumen

Posted on: 01 Dec 2025 12:55

Hi Finn,

Thank you for reporting this issue!

I have good news that it is already fixed and the fix will be included in the next official service pack release.

Until the service pack is released, you can disable the filter by adding the following line to your Page_Load event:

        protected void Page_Load(object sender, System.EventArgs e)
        {
            RadEditor1.DisableFilter(EditorFilters.StripJavaScriptUris);
        }

Your Telerik points have been updated!

Regards,
Rumen
Progress Telerik

Stay tuned by visiting our public roadmap and feedback portal pages! Or perhaps, if you are new to our Telerik family, check out our getting started resources!

Create an account Log In

View

Type

Status