I was recently helping a colleague with writing some custom buttons in the Telerik Rich Text Editor. Our button injects JavaScript into the content of the field and we noticed some of the JavaScript was being stripped by Telerik. This has been an annoying issue for many versions of Sitecore. The solution is quite simple and requires a small change to a built-in Sitecore file.
Telerik’s documentation explains a content filter that can be applied to strip script tags. The goal of the custom code it to override the Telerik editor and disable the filter from being applied.
Open \Website\sitecore\shell\Controls\Rich Text Editor\EditorPage.aspx
The C# is compiled in the Sitecore.Client.dll assembly, so let’s add in our own C# code right into this page. Add in the following block of code to run before the normal Page_Load:
[csharp]
<script runat="server">
protected override void OnLoad(EventArgs e)
{
Editor.DisableFilter(EditorFilters.RemoveScripts);
base.OnLoad(e);
}
</script>
[/csharp]
Note: this was tested on Sitecore 6.4
Just consider the upgrade path here. Before you run an upgrade of Sitecore you’d want to backup this built-in file just in case.
Update (1/19/2012)
While working with a colleague (Mark Graber, Sitecore MVP) we determined a better way to do this via a configuration patch so you don’t need to edit the built-in Sitecore editor page.
Create a class that inherits Sitecore.Shell.Controls.RichTextEditor.EditorConfiguration. Next, override the SetupFilters() method and in there run the same code to remove the filter, like so:
[csharp]
protected override void SetupFilters()
{
Editor.DisableFilter(EditorFilters.RemoveScripts);
base.SetupFilters();
}
[/csharp]
Now, register this new class in the config setting “HtmlEditor.DefaultConfigurationType” like so:
[xml]
<setting name="HtmlEditor.DefaultConfigurationType" value="MyProject.EditorConfiguration, MyProject"/>
[/xml]
Update (2/16/2012)
It has been reported (in the comments) that there is still an issue that scripts are removed when you switch to HTML view of the RTE. I was only able to reproduce this issue in Internet Explorer but it does appear to be a problem still.
Additionally, it appears newer releases of Sitecore have the above solution baked in with a new setting called HtmlEditor.RemoveScripts which affects the built-in EditorConfiguration class based on the setting. My post was written on 1/10/2012 and Update 6 to Sitecore 6.4.1 was released on 1/13/2012 with this setting. So this should now be a built-in setting to Sitecore which will make it easier to configure out of the box!
And as another caution to anyone before they remove this, consider why they might want to put this into place to begin with. I’ve seen plenty of content editors who have no idea what it is that they’re pasting into the text editor. The limits of content editors should be taken into account and if you have a large number of editors that you may not ever have the luck of training, the likelihood of them pasting in malicious code goes up astronomically. Tracking code is usually common but they may very well be copying and pasting content from any unknown source where the code isn’t seen. Just at least consider it.
Your configuration patch works great when selecting the save button on the Content Editor. However, if you switch to Design mode and back to HTML mode in the Content Editor, the script tags still get stripped. I understand your given code would not handle that sequence of events but any ideas on what would?
Hi Dennis, thanks for letting me know — I wasn’t aware! Not sure how to fix that, if I have a solution, I’ll update the post.
Dennis, I seem to be only able to reproduce this script removal issue in IE. Is that the case for you?
It’s an issue for me in IE8 and FF9.0.1. I haven’t tested any other browsers.
Important to note is that I am using v6.5.0 rev.111230.
According to Sitecore support, the HtmlEditor.RemoveScripts setting was introduced in 6.4.1 but wasn’t merged into 6.5.0 but should in the next revision. The workaround is to set AllowScripts=”true” in the \Website\sitecore\shell\Controls\Rich Text Editor\EditorPage.aspx file on the telerik:RadEditor control BUT to set it after all DocumentManager-XXX attributes. ORDER DOES MATTER! when it comes to this.
I made both changes (HtmlEditor.RemoveScripts and AllowScripts) and the script tags do not get stripped rather I select the Accept button on the editor or move from HTML to Design and back to HTML mode on the editor.