EnableStripStyleTagsCodeInjection stripping safe styles too

Last post 11-07-2010, 8:02 PM by Kenneth. 3 replies.
Sort Posts: Previous Next
  •  11-02-2010, 10:30 AM 64841

    EnableStripStyleTagsCodeInjection stripping safe styles too

    The following text, when put into CuteEditor, strips the style tags (and leaves the style info). I assume this is because EnableStripStyleTagsCodeInjection is set to true. But there is nothing executable or malicious in the styles:
     
    blah, blah, blah...
    <DIV dir=ltr align=left><SPAN class=187181814-13052010><FONT color=#0000ff
    face="Century Gothic">Yes again, Lisa said the credit was mailed just a couple
    days ago.
    <STYLE>A.psl {
     COLOR: #4e81c4; TEXT-DECORATION: none
    }
    A:hover {
     TEXT-DECORATION: underline
    }
    A.psl:hover {
     COLOR: #999999
    }
    .noro {
     FONT-FAMILY: Verdana,Arial,fixed; COLOR: #4e81c4; FONT-SIZE: 12pt
    }
    .tiny {
     FONT-SIZE: 1pt
    }
    .logotext {
     FONT-FAMILY: Verdana,Arial,fixed; COLOR: #ffffff; FONT-SIZE: 10pt; TEXT-DECORATION: none
    }
    A.brand {
     FONT-FAMILY: Verdana,Arial,fixed; COLOR: #ffffff; FONT-SIZE: 8pt; TEXT-DECORATION: underline
    }
    </STYLE>
    </FONT></SPAN></DIV><BR>
    blah, blah, blah
  •  11-02-2010, 10:26 PM 64843 in reply to 64841

    Re: EnableStripStyleTagsCodeInjection stripping safe styles too

    Hi manciaux, 
     
    By default, EnableStripStyleTagsCodeInjection will set to true to prevent style tag injection attack. If you want to use <style> tag, please set it to false, like
     
       <CE:Editor ID="editor1" runat="server" EnableStripStyleTagsCodeInjection="false">
            </CE:Editor> 
     
    Regards,
     
    ken 
  •  11-05-2010, 12:27 PM 64889 in reply to 64843

    Re: EnableStripStyleTagsCodeInjection stripping safe styles too

    well, it doesn't do what it says in two ways:
     
    1) it strips style tags that have nothing that could be malicious
    and
    2) it strips the tag but leaves the content - which looks like garbage text to most users
     
    In my opinion this is a defect
  •  11-07-2010, 8:02 PM 64904 in reply to 64889

    Re: EnableStripStyleTagsCodeInjection stripping safe styles too

    Hi manciaux,
     
    Very thanks for your suggest, we will improve it in future versions.
     
    Regards,
     
    ken 
View as RSS news feed in XML