Preventing Cross-Site Scripting (XSS)

21 Mar 20254 minutes to read

The Rich Text Editor allows users to edit the content with security by preventing cross-site scripting (XSS). By default, it provides built-in support to remove elements from editor content that cause XSS attacks. The editor removes the elements based on the attributes if it is possible to execute a script.

The EnableHtmlSanitizer property determines whether XSS prevention is active. It’s set to true by default.

In the following sample, we removed the script tag and onmouseover attribute from the content of the Rich Text Editor.

CSHTML
Controller.cs
@Html.EJS().RichTextEditor("defaultRTE").ContentTemplate(@<div><div onmouseover="javascript:alert(1)">Prevention of Cross Sit Scripting (XSS)</div><script>alert("hi")</script></div>).Render()
public class HomeController : Controller
{
    public ActionResult Index()
    {
        return View();
    }
}

The XSS prevention feature is only applicable when the EditorMode is set to HTML.

Custom Cross-Site Scripting Prevention

For more precise control over XSS prevention, you can implement custom filtering logic using the BeforeSanitizeHtml event.

Implementing Custom Cross-Site Scripting and Filtering in Rich Text Editor

Use the BeforeSanitizeHtml event to define custom filtering rules.
Utilize the helper function from the event argument to apply your custom filters.
Set the cancel argument to true if you want to override the built-in XSS prevention entirely.

The following sample demonstrates how to filter the script tag by value.

CSHTML
Controller.cs
@Html.EJS().RichTextEditor("defaultRTE").ContentTemplate(@<div><div>Prevention of Cross Sit Scripting (XSS)</div><script>alert("hi")</script></div>).BeforeSanitizeHtml("beforeSanitizeHtml").Render()
    <script>
        function beforeSanitizeHtml(args) {
            args.helper = (value) => {
            args.cancel = true;
            var temp = document.createElement('div');
            temp.innerHTML = value;
            var scriptTag = temp.querySelector('script');
            if (scriptTag) {
                ej.base.detach(scriptTag);
                }
                return temp.innerHTML;
            }
        }
    </script>
public class HomeController : Controller
{
    public ActionResult Index()
    {
        return View();
    }
}

You can also filter out the e.selectors.tags and e.selector.attributes in the BeforeSanitizeHtml event to control which HTML tags and attributes are allowed to appear.

For instance, if you want to display <iframe>, you can manipulate the e.selectors.tags property in this event to selectively remove tags like <iframe>. This approach ensures that your application can safely display an iframe while preventing potential security risks associated with XSS vulnerabilities.

The following sample demonstrates how to filter the iframe tag.

CSHTML
Controller.cs
@Html.EJS().RichTextEditor("defaultRTE").ContentTemplate(@<div><div>Prevention of Cross Sit Scripting (XSS)</div><script>alert("hi")</script></div>).BeforeSanitizeHtml("beforeSanitizeHtml").Render()

<script>
    function beforeSanitizeHtml(args) {
        if (e.selectors && e.selectors.tags) {
            e.selectors.tags = e.selectors.tags.filter((tag) => tag !== 'iframe:not(.e-rte-embed-url)');
            e.selectors.tags = [('iframe[src^="https://"]')];
        }
    }
</script>
public class HomeController : Controller
{
    public ActionResult Index()
    {
        return View();
    }
}