Prevention of XSS attacks through DOM attributes
Problem
Potential XSS attack through DOM attributes of specific elements.
Description
Some DOM attributes allow parsing of their content and thus, JS code that can carry a XSS payload may be present in them. They are mostly event attributes like onerror, onclick, onmouseover, and so on. RadEditor provides a built-in filter that strips event-related attributes—the StripDomEventAttributes filter.
In some other cases, you may have complex content or highly specific elements/attributes that do not fall in this category that can also carry a malicious payload. To handle such cases, you need to implement some custom code (see examples below in the solutions section).
IMPORTANT: Content sanitization and attack prevention lies in the application scope. Depending on the application logic, some content may be allowed or removed. As such, the application developer must ensure safety of the user input, like with all data, and RadEditor may not be able to handle all scenarios and requirements. The following article treats this matter in more details: Prevent Cross-site Scripting (XSS).
Solution
You need to create both a server-side and a client-side solutions to properly handle this case.
The server-side content sanitization takes care of the case when content was by the user and must execute before storing it, and should also be executed after retrieval of the content before rendering it to the browser. It is usually some form of Regex expression.
The client-side solution handles the case when the end user enters content in the editor. You can create a custom filter for it: https://docs.telerik.com/devtools/aspnet-ajax/controls/editor/managing-content/content-filters#implementing-a-custom-filter.
Below follow a few examples that you can use as a starting point for more detailed implementations.
-
How to remove
//get content (from user input, or from data source string content = RadEditor1.Content; //remove <embed> tags content = Regex.Replace(content, "<(EMBED)([^>]*)/>", "", RegexOptions.IgnoreCase); content = Regex.Replace(content, "<(EMBED)([^>]*)>[\\s\\S]*?</(EMBED)([^>]*)>", "", RegexOptions.IgnoreCase); //use the content (e.g., render in the browser) RadEditor1.Content = content; ```` * How to remove <embed> tags or at least their src attribute on the client: ````ASP.NET <telerik:RadEditor runat="server" ID="RadEditor1" OnClientLoad="OnClientLoad"> </telerik:RadEditor> <script> function OnClientLoad(editor, args) { editor.get_filtersManager().add(new RemoveEmbedTags()); } RemoveEmbedTags = function () { RemoveEmbedTags.initializeBase(this); this.set_isDom(true); this.set_enabled(true); this.set_name("Remove Embed Tags"); this.set_description("Reduce the chance of XSS attacks if the user pastes untrusted content"); } RemoveEmbedTags.prototype = { getHtmlContent: function (contentElement) { var embeds = contentElement.getElementsByTagName("EMBED"); for (i = embeds.length - 1; i > -1; i--) { var embed = embeds[i]; //remove the src attribute embed.removeAttribute("src"); //or remove the entire <embed> element //embed.parentNode.removeChild(embed); } return contentElement; }, getDesignContent: function (contentElement) { var embeds = contentElement.getElementsByTagName("EMBED"); for (i = 0; i < embeds.length; i++) { var embed = embeds[i]; //remove the src attribute embed.removeAttribute("src"); //or remove the entire <embed> element //embed.parentNode.removeChild(embed); } return contentElement; } } RemoveEmbedTags.registerClass('RemoveEmbedTags', Telerik.Web.UI.Editor.Filter); ````
See Also