1. Feedback
  2. Blazor
  3. 31516

Welcome to the Blazor feedback portal. We’re happy you’re here! If you have feedback on how to improve the Blazor, we’d love to hear it!

  • Check out the features or bugs others have reported and vote on your favorites. Feedback will be prioritized based on popularity.
  • If you have feedback that’s not listed yet, submit your own.

Thanks for joining our community and helping improve Syncfusion products!

3
Votes

Provide support to add the XSS syntax with existing html sanitizer list

Customer Requirement:

The customer wants to add any tags/selectors to the already existing html sanitizer tags/selectors.

 

Current Behavior:

Currently there is no option to add extra(customer need) tags/selectors to the filter, so that the tags can be prevented in the Rich Text Editor.

 

We have “DeniedSanitizeSelectors” API which removes the tags/selectors from the html sanitizer list, so that configured tags can be allowed.

 

For Example:

 

<SfRichTextEditor EnableHtmlSanitizer="true" DeniedSanitizeSelectors="@FilterElements">

    <p>Ric<a href="<script>fds</script>">google</a>h Text Ed  <iframe src=http://evil.com/xss.html></iframe>itor allows to insert images from online source as well as local computer where you want to insert the image in your content.</p>

</SfRichTextEditor>

 

@code { public string[] FilterElements { get; set; } = new string[] { "iframe[src]" }; }

 

Here by default when the EnableHtmlSanitizer is true the iframe will removed when RTE is rendered. But when the “iframe[src]” selector is added to the  DeniedSanitizeSelectors list, it will allowed to rendered.

 

Likewise we need a API property to add customer required selectors/tag to the already existing list.