Hi,
I am contacting you today to let you know I have found cross-site scripting vectors within the latest version of the RadEditor. I have attached images of the payloads that seem to bypass the XSS filter.
The second payload only works on Firefox browsers, but the first works on Chrome browsers too. While it still requires users to click on the link to trigger XSS, it can be easily social engineered in most situations.
Given you have a table, where a row has multiple cells containing rowspans.
And there are also cells with no rowspan between them.
E.g. Starting HTML
<table>
<tbody>
<tr>
<td rowspan="2">A1</td>
<td>B1</td>
<td rowspan="2">C1</td>
</tr>
<tr>
<td>B2</td>
</tr>
</tbody>
</table>
When you delete the row (E.g. delete row 1 in the example above).
Then the cells in the resulting table are in the wrong columns.
E.g. Result HTML
<table>
<tbody>
<tr>
<td>A1</td>
<td>C1</td>
<td>B2</td>
</tr>
</tbody>
</table>
Cells C1 and B2 are in the incorrect columns.
The desired outcome of deleting row 1 would be for all cells to remain in their original columns.
E.g. Desired Result HTML
<table>
<tbody>
<tr>
<td>A1</td>
<td>B2</td>
<td>C1</td>
</tr>
</tbody>
</table>
Bug is reproducible in RadEditor demo using Starting HTML above (in various browsers).
Thank you,
Shane
Hello Telerik Team,
This is regarding The SpellCheck functionality in the Telerik Editor. Basically whenever a user activates the the SpellCheck from the "✓abc" button, the page automatically scrolls based on the position of the word. This does not give a good user experience and makes it difficult to work on the page.
We have seen this issue in the demos you have on your site as well.
URL: https://demos.telerik.com/aspnet-ajax/editor/examples/spellchecker/defaultcs.aspx
To Replicate go to this URL and follow the process below:
For your reference, we have attached a screenshot of the editor we have in our website.
Let us know if you require any further information to debug it.
Thank you,
Prateek Sanganeria
We are using CDN and combined scripts as much as possible, and have run into an issue with the RadEditor and applying custom CSS Classes break, e.g. the applied CSS class on the selected content gets stripped for example from
.laystyle
to
.l
Hi Rumen,
I have encountered a problem as follows:
When a table is added to the radeditor with empty cells, after inserting text in the empty cell and rejecting the track changes, the complete td (cell) is removed.
Figure shows text inserted in empty cell with track changes on
After rejecting this track changes:
The cell has been removed and you can see the space in the end
You can use the following table code to reproduce the same, I have tried this in the demo link: https://demos.telerik.com/aspnet-ajax/editor/examples/trackchanges/defaultcs.aspx
<table frame="topbot" class="body_table">Do let me know if you need any further information on the same.
Thanks
Regards
Chetan
<
telerik:RadTabStrip
runat
=
"server"
ID
=
"RadTabStrip2"
MultiPageID
=
"RadMultiPage2"
SelectedIndex
=
"0"
>
<
Tabs
>
<
telerik:RadTab
Text
=
"Add Response"
></
telerik:RadTab
>
</
Tabs
>
</
telerik:RadTabStrip
>
<
telerik:RadMultiPage
runat
=
"server"
ID
=
"RadMultiPage2"
SelectedIndex
=
"0"
>
<
telerik:RadPageView
runat
=
"server"
ID
=
"RadPageView11"
>
<
telerik:RadEditor
Width
=
"100%"
EditModes
=
"Design"
ID
=
"reReqCom"
runat
=
"server"
ContentAreaCssFile
=
"~/AppRoot/Xml/RadEditor/EditorContentArea.css"
ToolsFile
=
"~/AppRoot/Xml/RadEditor/BasicTools.xml"
Skin
=
"Material"
/>
</
telerik:RadPageView
>
</
telerik:RadMultiPage
>
This behavior is occuring only if use firefox browser:
1. If you set the EditModes within backend only to EditMode.Preview then all html table elements within content appears like in EditMode.Design with dashed borders.
You can reproduce it on your own demo site https://demos.telerik.com/aspnet-ajax/editor/examples/overview/defaultcs.aspx simple disable EditMode.Html and EditMode.Design.
Now you see the dashed table element borders like in design mode....
2. Sometimes if you switch edit mode from Html to Preview the same affect is occuring with displaying dashed border with html table elements. If you switch directly from Design mode to preview mode all works fine.
3. If you resize the editor in preview mode with resize button on right lower corner the display switch immediatly to dashed borders for all html table elements...
At the moment we use a fix to reset preview mode: If only preview mode is activated for the editor we set the preview mode again with a timeout of 250 ms after loading of dialog is ready (if the timeout is to low no affect appear).
Sys.Application.add_load(function(){ window.setTimeout(function(){$find('AjaxEditorClientID').set_mode(4)},250); }); });
Regards
Thomas
Hi,
As per title and I also find out it able to reproduce in the demo site: https://demos.telerik.com/aspnet-ajax/editor/examples/overview/defaultcs.aspx
Step:
1. Change to 'HTML' mode.
2. Open 'Find And Replace' dialog.
3. Enter a word to find and hit the 'Find' button.
Notice that the word does not get highlighted. It only happens in 'HTML' mode, 'Design' mode working fine.
Please help as this feature is very useful in my project.
Thank you.
The issue is as we are deleting the entire line which contains bullets, it doesn't delete the bullets. We are using server side AcceptTrackChanges() method and it keeps the background color of the deleted lines. ASPX <telerik:RadEditor RenderMode="Lightweight" ID="RadEditor1" EnableTrackChanges="true" runat="server" Width="750px" Height="400px" ToolsFile="~/ToolsFile.xml"> <TrackChangesSettings Author="RadEditorUser" CanAcceptTrackChanges="true" UserCssId="reU0"></TrackChangesSettings> <Content> <ol> <li>test <ol> <li>test2</li> </ol> </li> <li>test3</li> </ol> </Content> </telerik:RadEditor> <asp:Button Text="Get Content" OnClick="GetContent" runat="server" /> <br /> EditorWithoutTracking:<br /> <asp:TextBox runat="server" id="EditorWithoutTracking" TextMode="MultiLine" Width="1000px" Height="500px"/><br /> EditorWithTracking:<br /> <asp:TextBox runat="server" id="EditorWithTracking" TextMode="MultiLine" Width="1000px" Height="500px"/> Codebehind protected void GetContent(object sender, EventArgs e) { EditorWithoutTracking.Text = RadEditor1.Content; RadEditor1.AcceptTrackChanges(); EditorWithTracking.Text = RadEditor1.Content; }
We have an issue with paragraph styles which have some custom classes. It has different behavior depending on how you select your paragraph. In some cases, when you fully select your paragraph the class remains the same the previous paragraph. Please see the video of issue reproducing on the Telerik demo for more details: https://www.screencast.com/t/xg9b1imVO Workaround: <script type="text/javascript"> function OnClientCommandExecuting(editor, args) { //The command name var commandName = args.get_commandName(); //The tool that initiated the command if (commandName == "FormatBlock") { //editor.get_document().execCommand("FormatBlock", false, "div"); var selectedElement = editor.getSelectedElement(); if (selectedElement.getAttribute("style")) { selectedElement.removeAttribute("style"); } else if (selectedElement.getAttribute("class")) { selectedElement.removeAttribute("class"); } } } </script> <telerik:RadEditor RenderMode="Lightweight" runat="server" ID="RadEditor1" ToolsFile="Tools.xml" Width="800px" OnClientCommandExecuting="OnClientCommandExecuting"> <Content> some plain text </Content> <CssFiles> <telerik:EditorCssFile Value="Styles.css" /> </CssFiles> </telerik:RadEditor>
When the Track Changes is enabled and a <p> element contains nothing but whitespace (newline, space or tab characters), any time one character is deleted, the entire element is deleted Another issue relating to this, is that when the line is deleted, if there is another whitespace <p> element above the element, the cursor is placed not on that line, but on whatever line is next without any whitespace. This behavior can be reproduced in the track-changes demo (Found at https://demos.telerik.com/aspnet-ajax/editor/examples/trackchanges/defaultcs.aspx ) ,by following these steps: 1. Create a <p> element containing some text 2. Below this element, create 3 more containing nothing but whitespace 3. On the last line enter a space and then press the backspace key The cursor will be moved to the <p> element containing text and the entire element will be deleted (not just the space which was entered)
The problem can be reproduced on the track changes demo at https://demos.telerik.com/aspnet-ajax/editor/examples/trackchanges/defaultcs.aspx 1. Copy a list from word (Bullet or numbered doesn't matter, but numbered is more problematic) 2. Paste into the content area with track changes turned on 3. Apply Bold, Underline or Italics to the pasted list Result: The list seems to break itself into 3 separate lists all spaced further apart than initially. Numbered lists will go from 1,2,3 to having 1,1,1.
RadEditor does not offer resx localization for the following Track Changes strings "Inserted by ", "Formatted by ", "Deleted by " as well as for the strings in the Comments dialog: Title, Save, Cancel and Edit.
1. Inside the editor (http://demos.telerik.com/aspnet-ajax/editor) copy and paste the contents of the attached file. 2. When prompted to clean the pasted data, select Yes. 3. Visually inspect the order of the list elements and the indentation - see the screenshot in the attachment.
By default all options "Copy Format", "Apply Format" and "Clear Format" are all enabled when a ribbonbar toolbar is used, but the second and third options should be disabled initially. The problem does not happen in the Default toolbar mode and can be reproduced in the Overview demo of the control -> switch to ribbonbar mode and press the full set of tools radio button. The Clear format tool is located in the sixth button group of the ribbonbar.
Steps:
1) Enter in HTML mode:
<ins author="RadEditorUser" command="Insert" timestamp="1635859985945" title="Inserted by RadEditorUser on 11/2/2021, 3:33:05 PM" class="reU0">
<table>
<tbody>
<tr>
<td> text</td>
<td> </td>
<td> </td>
</tr>
<tr>
<td> </td>
<td> text</td>
<td> </td>
</tr>
<tr>
<td> </td>
<td> </td>
<td>text </td>
</tr>
</tbody>
</table>
</ins>
2) Select the word in cell 1
3) Apply Bold formatting
<ins author="RadEditorUser" command="Insert" timestamp="1635859985945" title="Inserted by RadEditorUser on 11/2/2021, 3:33:05 PM" class="reU0">
<table>
<tbody>
<tr>
<td> </td>
</tr>
</tbody>
</table>
</ins><ins author="RadEditorUser" command="Insert" timestamp="1635859985945" title="Inserted by RadEditorUser on 11/2/2021, 3:33:05 PM" class="reU0">
<table>
<tbody>
<tr>
<td><strong author="RadEditorUser" command="Bold" timestamp="1635860413199" title="Formatted by RadEditorUser on 11/2/2021, 3:40:13 PM" class="reFormat reU0">text</strong></td>
</tr>
</tbody>
</table>
</ins><ins author="RadEditorUser" command="Insert" timestamp="1635859985945" title="Inserted by RadEditorUser on 11/2/2021, 3:33:05 PM" class="reU0">
<table>
<tbody>
<tr>
<td></td>
<td> </td>
<td> </td>
</tr>
<tr>
<td> </td>
<td> text</td>
<td> </td>
</tr>
<tr>
<td> </td>
<td> </td>
<td>text </td>
</tr>
</tbody>
</table>
</ins>
Steps to Reproduce: 1. Insert a table and add some data to the table in Chrome 2. Above the Table, insert some text 3. Highlight the text and drag cursor to highlight half of the data in the table 4. Hit Delete on your keyboard Result: The colgroup is removed from the table
Position the cursor between the words SharePoint and Whether in the first paragraph and add a line break, after that press Backspace and you'll see that the new line does not disappear. Adding new sections between existing paragraphs or after the last paragraph seems to work fine, but if you have to break up an existing paragraph into two paragraphs and then want to turn it back into one you won't be able to. https://www.screencast.com/t/NAniQ50c2UU9