New to Telerik UI for ASP.NET AJAX? Download free 30-day trial

How to sanitize Markdown content


Sanitize Markdown import in RadEditor.

The goal is to avoid potential XSS attacks, for example, because you cannot trust the source your end users will have for their Markdown content.


You need to:

  • first and foremost, implement the desired level of content sanitization. The example attached below removes event attributes. You can use it and improve it to match your needs.
  • execute the content sanitization before content is added to the editor
  • with the built-in Markdown import, this is before calling set_html()

        function importMarkdownAndSanitize() {
        //built-in Markdown import
        var converter = new Telerik.Web.UI.Editor.Markdown.Converter();
        var editor = $find("<%=RadEditor1.ClientID%>");
        var textBox = $get("<%=MarkdownTextBox1.ClientID%>");
        var rawHtml = converter.makeHtml(textBox.value);
        //implement sanitization
        var sanitizedHtml = sanitizeContent(rawHtml);
        //set the content in the editor
    * with pasting content, this is the OnClientPasteHtml event 
    function OnClientPasteHtml(sender, args) {
        //perform the same sanitization when pasting content (including from the PasteMarkdown dialog)

    See Also

In this article