Live Support, Chat, Upload Control and Rich Text Editor
Welcome to Support forums Sign in | Join | Help |Client Center
in Search

EnableStripStyleTagsCodeInjection stripping safe styles too

Last post 11-07-2010, 8:02 PM by Kenneth. 3 replies.
Sort Posts: Previous Next
  •  11-02-2010, 10:30 AM 64841

    EnableStripStyleTagsCodeInjection stripping safe styles too

    The following text, when put into CuteEditor, strips the style tags (and leaves the style info). I assume this is because EnableStripStyleTagsCodeInjection is set to true. But there is nothing executable or malicious in the styles:
     
    blah, blah, blah...
    <DIV dir=ltr align=left><SPAN class=187181814-13052010><FONT color=#0000ff
    face="Century Gothic">Yes again, Lisa said the credit was mailed just a couple
    days ago.
    <STYLE>A.psl {
     COLOR: #4e81c4; TEXT-DECORATION: none
    }
    A:hover {
     TEXT-DECORATION: underline
    }
    A.psl:hover {
     COLOR: #999999
    }
    .noro {
     FONT-FAMILY: Verdana,Arial,fixed; COLOR: #4e81c4; FONT-SIZE: 12pt
    }
    .tiny {
     FONT-SIZE: 1pt
    }
    .logotext {
     FONT-FAMILY: Verdana,Arial,fixed; COLOR: #ffffff; FONT-SIZE: 10pt; TEXT-DECORATION: none
    }
    A.brand {
     FONT-FAMILY: Verdana,Arial,fixed; COLOR: #ffffff; FONT-SIZE: 8pt; TEXT-DECORATION: underline
    }
    </STYLE>
    </FONT></SPAN></DIV><BR>
    blah, blah, blah
  •  11-02-2010, 10:26 PM 64843 in reply to 64841

    Re: EnableStripStyleTagsCodeInjection stripping safe styles too

    Hi manciaux, 
     
    By default, EnableStripStyleTagsCodeInjection will set to true to prevent style tag injection attack. If you want to use <style> tag, please set it to false, like
     
       <CE:Editor ID="editor1" runat="server" EnableStripStyleTagsCodeInjection="false">
            </CE:Editor> 
     
    Regards,
     
    ken 
  •  11-05-2010, 12:27 PM 64889 in reply to 64843

    Re: EnableStripStyleTagsCodeInjection stripping safe styles too

    well, it doesn't do what it says in two ways:
     
    1) it strips style tags that have nothing that could be malicious
    and
    2) it strips the tag but leaves the content - which looks like garbage text to most users
     
    In my opinion this is a defect
  •  11-07-2010, 8:02 PM 64904 in reply to 64889

    Re: EnableStripStyleTagsCodeInjection stripping safe styles too

    Hi manciaux,
     
    Very thanks for your suggest, we will improve it in future versions.
     
    Regards,
     
    ken 
View as RSS news feed in XML
Powered by ASP.Net
Copyright 2003 - 2017 CuteSoft Components Inc.. All rights reserved.