When using RadEditor with the StripDomEventAttributes content filter enabled, script execution can still occur when switching from HTML to Design mode.
Certain HTML and SVG elements containing attributes such as onload, onclick, or href/to values that start with javascript: are not fully sanitized before the editor’s content is rendered in Design view. As a result, embedded script code can run during the mode transition even though the anti-script filter is active.
Reproduction steps:
Add a RadEditor with the default filters:
<telerik:RadEditor runat="server" ID="RadEditor1"
ContentFilters="DefaultFilters,StripDomEventAttributes">
</telerik:RadEditor>
- Load the page.
- Switch the editor to HTML mode.
- Paste any of the following samples (look below)
- Switch to Design view
- Watch alerts
<svg/onload=alert(1)><svg> <svg onload=alert(1)><svg> # newline char <svg onload=alert(1)><svg> # tab char <svg onload=alert(1)><svg> # new page char (0xc)
While the Keyboard navigation is enabled, navigating through the items using the UP/DOWN arrows does mark the rows active, however, the active styles remain for the rows even if they aren't active anymore.
The issue happens when using the ActiveItemStyle element to define the styles (e.g. ForeColor, BackColor, etc.). Works as expected using the default styles.
Code to replicate the issue
<script runat="server">
protected void RadGrid1_NeedDataSource(object sender, GridNeedDataSourceEventArgs e)
{
(sender as RadGrid).DataSource = Enumerable.Range(1, 5).Select(x => new
{
OrderID = x,
OrderDate = DateTime.Now.Date.AddDays(x),
Freight = x * 0.1m,
ShipName = "Name " + x,
ShipCountry = "Country " + x
}).ToList();
}
</script>
<telerik:RadGrid ID="RadGrid1" runat="server" RenderMode="Lightweight" OnNeedDataSource="RadGrid1_NeedDataSource">
<ActiveItemStyle BackColor="Red" ForeColor="White" />
<ClientSettings AllowKeyboardNavigation="true">
</ClientSettings>
</telerik:RadGrid>
When loading a page configured with RadScriptManager, RadStyleSheetManager, and RadWindowManager using CDN and combined resources, a JavaScript runtime error occurs:
<telerik:RadScriptManager runat="server" ID="RadScriptManager1"
AsyncPostBackTimeout="500" EnablePageMethods="true"
EnableScriptCombine="true" LoadScriptsBeforeUI="true"
EnableCdn="true" CdnSettings-TelerikCdn="Enabled" CdnSettings-CombinedResource="Enabled"
EnableScriptLocalization="true"
EnableScriptGlobalization="true" />
<telerik:RadStyleSheetManager ID="RadStyleSheetManager1"
runat="server"
EnableStyleSheetCombine="true"
CdnSettings-TelerikCdn="Enabled" CdnSettings-CombinedResource="Enabled" />
<telerik:RadWindowManager runat="server" ID="radWindowManager" Style="z-index: 7001;" RenderMode="Lightweight" />
<telerik:RadWindow runat="server" ID="RadWindowRecommendUs" EnableViewState="false"
Behaviors="Close" VisibleOnPageLoad="false"
Width="300px" Height="590px"
InitialBehaviors="Pin" VisibleStatusbar="false" VisibleTitlebar="true" Modal="true" ReloadOnShow="true" Overlay="false" />
<telerik:RadWindow ID="RadWindowFacebookLoginCompleteDetails" runat="server"
Behaviors="Reload" Modal="true" VisibleStatusbar="false"
Width="720" Height="750"
IconUrl="/SITE/COMPONENTS/facebook/fb_icon_16X16.png"
/>
<telerik:RadAjaxLoadingPanel ID="LoadingPanel1" runat="server" Style="width: 100%; min-height: 250px;" /> The page should load without script registration conflicts.
Actual behavior:
The browser console shows an Uncaught Sys.InvalidOperationException, preventing proper execution of Telerik scripts.