New to Telerik UI for ASP.NET AJAX? Download free 30-day trial

Strip client-side events from the HTML content of RadEditor


This custom content filter solution shows how to parse the content and strip the onclick, onmousedown, onmouseover attributes. Use it as a base to strip the desired attributes from the content.


To strip all client-side event related attributes you can use a content filter as it is shown in the code below:

<telerik:radeditor runat="server" ID="RadEditor1" OnClientLoad="OnClientLoad">  
        <a href="javascript:doSomething();" >Click here</a> 
        <div onclick="alert();">Click Here</div> 
<script type="text/javascript">  
function OnClientLoad(editor, args)  
   editor.get_FiltersManager().add(new MyFilter());  
MyFilter = function()  
   this.set_name("RadEditor filter");  
   this.set_description("RadEditor filter description");  
MyFilter.prototype =  
   getHtmlContent : function(content)  
     var dom = document.createElement("DIV");     
     dom.innerHTML = content;     

     var elems = dom.getElementsByTagName("*");     
     for (var i=0; i < elems.length; i++)     
        //Remove all onmouseover, onmouseout, onclick eventhandlers from element           
        var elem = elems[i];  
        //remove other eventhandlers that you do not want to be included in the content

        if (elem.tagName == "A")  
            if(elem.href.indexOf("javascript:") == 0) //if the href values of the link tags start with javascript:  then set href="#""
                elem.setAttribute("href", "#");  
     return dom.innerHTML;      
MyFilter.registerClass('MyFilter', Telerik.Web.UI.Editor.Filter);  

You can also check out these dedicated articles describing how to prevent XSS in RadEditor:

In this article