New to Telerik UI for ASP.NET AJAX? Download free 30-day trial

Strip client-side events from the HTML content of RadEditor

Description

This custom content filter solution shows how to parse the content and strip the onclick, onmousedown, onmouseover attributes. Use it as a base to strip the desired attributes from the content.

Solution

To strip all client-side event related attributes you can use a content filter as it is shown in the code below:

<telerik:radeditor runat="server" ID="RadEditor1" OnClientLoad="OnClientLoad">  
    <Content> 
        <a href="javascript:doSomething();" >Click here</a> 
        <div onclick="alert();">Click Here</div> 
    </Content> 
</telerik:radeditor> 
<script type="text/javascript">  
function OnClientLoad(editor, args)  
{  
   editor.get_FiltersManager().add(new MyFilter());  
}  
MyFilter = function()  
{  
   MyFilter.initializeBase(this);  
   this.set_isDom(false);  
   this.set_enabled(true);  
   this.set_name("RadEditor filter");  
   this.set_description("RadEditor filter description");  
}  
MyFilter.prototype =  
{  
   getHtmlContent : function(content)  
   {  
     var dom = document.createElement("DIV");     
     dom.innerHTML = content;     

     var elems = dom.getElementsByTagName("*");     
     for (var i=0; i < elems.length; i++)     
     {     
        //Remove all onmouseover, onmouseout, onclick eventhandlers from element           
        var elem = elems[i];  
        elem.removeAttribute("onmouseover");  
        elem.removeAttribute("onmouseout");  
        elem.removeAttribute("onclick");  
        //remove other eventhandlers that you do not want to be included in the content

        if (elem.tagName == "A")  
        {  
            if(elem.href.indexOf("javascript:") == 0) //if the href values of the link tags start with javascript:  then set href="#""
            {  
                elem.setAttribute("href", "#");  
            }  
        }  
     }                      
     return dom.innerHTML;      
   }  
}  
MyFilter.registerClass('MyFilter', Telerik.Web.UI.Editor.Filter);  
</script> 

You can also check out these dedicated articles describing how to prevent XSS in RadEditor:

In this article
Not finding the help you need? Improve this article