Security of RichTextEditor- malicious javascript or html code

Question

Hello,I have a markup string displaying the contents of the rich text editor on the website and I would like to know some more information about any security features of the rich text editor.I am worried about someone being able to paste malicious javascript or html code in the rich text editor.Is there anything built in to mitigate such an attack?

Vinitha Jeyakumar · Accepted Answer

Hi Pavel,We have Cross-Site Scripting which is a security vulnerability and a client-side injection attack. Attackers inject the malicious code in a web application, usually JavaScript but could also be HTML or CSS. To prevent this aspect, the API EnableHtmlSanitizer is provided and its default value is set to true.Code snippet: API Link: https://help.syncfusion.com/cr/blazor/Syncfusion.Blazor.RichTextEditor.SfRichTextEditor.html#Syncfusion_Blazor_RichTextEditor_SfRichTextEditor_EnableHtmlSanitizerRegards,Vinitha

Pavel · Answer

If the user inserts special stuff into RichTextEditor....

like

Then the JS code still gets executed.

Can you advice proper way on how to achieve "no javascript at all" will be accepted scenario?

Thanks

Vinitha Jeyakumar · Answer

Hi Pavel,When we set true to the EnableHtmlSanitizer in Rich Text Editor, the JS code didn't get executed and also that event is not added in the DOM element too. we have also used the code you have shared and prepared a sample and video illustration for your reference,Sample: https://www.syncfusion.com/downloads/support/directtrac/general/ze/RTE_Server723727902Video illustration: https://www.syncfusion.com/downloads/support/directtrac/general/ze/Vid_RTE_07-2021687848Please check the above sample and let us know about the exact issue you are facing.If possible, please share us with the issue reproducing runnable sample.Regards,Vinitha