From fc360288a1498cc4145c77d75f998d27d59f0890 Mon Sep 17 00:00:00 2001 From: Marin Bratanov Date: Mon, 15 Mar 2021 19:03:32 +0200 Subject: [PATCH 1/7] docs(editor): paste cleanup initial --- _contentTemplates/editor/general.md | 3 ++ components/editor/overview.md | 2 +- components/editor/paste-cleanup.md | 78 +++++++++++++++++++++++++++++ 3 files changed, 82 insertions(+), 1 deletion(-) create mode 100644 _contentTemplates/editor/general.md create mode 100644 components/editor/paste-cleanup.md diff --git a/_contentTemplates/editor/general.md b/_contentTemplates/editor/general.md new file mode 100644 index 0000000000..11bd1952d9 --- /dev/null +++ b/_contentTemplates/editor/general.md @@ -0,0 +1,3 @@ +#app-must-sanitize-content +The application must sanitize the content before passing it to the editor and, optionally, before saving it to its storage after obtaining it from the editor. It is up to the application to ensure there is no malicious content (such as input sanitization, XSS attack prevention and other security concerns). +#end \ No newline at end of file diff --git a/components/editor/overview.md b/components/editor/overview.md index 394b3daf2b..d034788fcc 100644 --- a/components/editor/overview.md +++ b/components/editor/overview.md @@ -96,7 +96,7 @@ You can use the following features to get or set the editor content: * The `ValueChanged` [event]({%slug editor-events%}) lets you receive the value and act on it. If you use the `ValueChanged` event (no two-way binding), you can effectively cancel the user's input by not updating the view-model, or you can even alter it with something else. ->important The application must sanitize the content before passing it to the editor and, optionally, before saving it to its storage after obtaining it from the editor. It is up to the application to ensure there is no malicious content (such as input sanitization, XSS attack prevention and other security concerns). +>important @[template](/_contentTemplates/editor/general.md#app-must-sanitize-content) ## Methods diff --git a/components/editor/paste-cleanup.md b/components/editor/paste-cleanup.md new file mode 100644 index 0000000000..7503ff4c64 --- /dev/null +++ b/components/editor/paste-cleanup.md @@ -0,0 +1,78 @@ +--- +title: Paste Cleanup +page_title: Editor - Paste Cleanup +description: Paste Cleanup of the content of the Editor for Blazor, such as from MS Word. +slug: editor-paste-cleanup +tags: telerik,blazor,editor,paste,cleanup +position: 70 +--- + +# Editor Paste Cleanup + +The Telerik Editor component for Blazor can improve the quality of the content pasted into it by removing tags and attributes, and by fixing issues such as lists pasted from Microsoft Word. + +#### In this article + + +* [Basics](#basics) +* [Paste Settings Features](#paste-settings-features) +* [Notes](#notes) + + +## Basics + +To control the behavior of the editor when content is pasted, you can set the desired parameters to its `EditorPasteSettings` tag that you can find under the `EditorSettings` tag. + +>caption Set pasting behaviors in the Telerik Editor + +````CSHTML +@* Some sample paste cleanup settings to showcase their usage *@ + + + + + + + +@code { + public string EditorValue { get; set; } + public List RemoveAttributes { get; set; } = new List() { "onclick", "onerror" }; + public List StripTags { get; set; } = new List() { "font" } ; +} +```` + +## Paste Settings Features + +The following list describes the behaviors and functionality each parameter of the `EditorPasteSettings` provides: + +* `ConvertMsList` - `bool` - If set to `true`, MS Word lists will be converted into HTML lists. By default, Word's list are paragraphs with the respective styling which is not accurate in html. + +* `RemoveHtmlComments` - `bool` - If set to `true`, comments will be removed from the HTML. +For example, `

content

` will result in `

content

` + +* `RemoveAllAttributes` - `bool` - Determines whether all DOM attributes should be stripped. Takes precedence over `RemoveMsClasses`, `removeMsStyles`, `RemoveAttributes`. + +* `RemoveMsClasses` - `bool` - If set to `true`, class attributes starting with `Mso` will be removed from the HTML. These are usually classes that come with content pasted from MS Word. For example, `

pasted from MS Word

` will result in `

pasted from MS Word

`. + +* `RemoveMsStyles` - `bool`- If set to `true`, style attributes starting with `Mso` will be removed from the HTML. These are usually styles that come with content pasted from MS Word. For example, `

content

` will result in `

content

`. + +* `StripTags` - `List` - Specifies a list of tags to be removed from the HTML. Child nodes of removed tags will be kept in place. For example. when `StripTags` is `{ "span" }` , pasting `

content

` will result in `

content

`. + +* `RemoveAttributes` - `List` - Specifies the DOM attributes that should be removed from the HTML. For example, when set to `{ "lang" }` , pasting `

content

` will result in `

content

`. + + + +## Notes + +>caution The content cleaning the editor performs happens on paste only. The user can still alter the HTML and if you are sending or receiving data over the wire, there is a chance such requests can be interecepted and altered maliciously. Therefore, the paste cleanup functionality of the editor cannot and does not replace content sanitization according to the application's standards and logic. +> +> @[template](/_contentTemplates/editor/general.md#app-must-sanitize-content) + +## See Also + + * [Editor Overview]({%slug editor-overview%}) From 8bb26ae0a332ba5103dd0a409741265923874ba2 Mon Sep 17 00:00:00 2001 From: Marin Bratanov Date: Tue, 16 Mar 2021 20:23:27 +0200 Subject: [PATCH 2/7] docs(editor): default values,note on content size --- _contentTemplates/editor/general.md | 13 +++++++++++++ components/editor/overview.md | 2 ++ components/editor/paste-cleanup.md | 8 +++++--- 3 files changed, 20 insertions(+), 3 deletions(-) diff --git a/_contentTemplates/editor/general.md b/_contentTemplates/editor/general.md index 11bd1952d9..da4476c87e 100644 --- a/_contentTemplates/editor/general.md +++ b/_contentTemplates/editor/general.md @@ -1,3 +1,16 @@ #app-must-sanitize-content The application must sanitize the content before passing it to the editor and, optionally, before saving it to its storage after obtaining it from the editor. It is up to the application to ensure there is no malicious content (such as input sanitization, XSS attack prevention and other security concerns). +#end + +#content-size-signalr +Content in the editor can become very large. For example, the user may have pasted an entire document, or pasted content has an image that will get converted to its `base64` representation that is rather large. With a server-side Blazor application, large content can cause the SignalR connection to drop because the content might exceed its limit. To cater for such cases, you may need to increase that packet limit. You can do that with a line similar to this: + + +**C#** + + services.AddServerSideBlazor().AddHubOptions(o => + { + o.MaximumReceiveMessageSize = 4 * 1024 * 1024; // 4MB + }); + #end \ No newline at end of file diff --git a/components/editor/overview.md b/components/editor/overview.md index d034788fcc..8e78edbb58 100644 --- a/components/editor/overview.md +++ b/components/editor/overview.md @@ -99,6 +99,8 @@ You can use the following features to get or set the editor content: >important @[template](/_contentTemplates/editor/general.md#app-must-sanitize-content) +@[template](/_contentTemplates/editor/general.md#content-size-signalr) + ## Methods The editor [reference](#component-reference) exposes the `ExecuteAsync` method which lets you call programmatically the tools and commands of the editor (such as the Bold too, or a Back Color tool, or inserting HTML). diff --git a/components/editor/paste-cleanup.md b/components/editor/paste-cleanup.md index 7503ff4c64..21b3aae730 100644 --- a/components/editor/paste-cleanup.md +++ b/components/editor/paste-cleanup.md @@ -50,16 +50,16 @@ To control the behavior of the editor when content is pasted, you can set the de The following list describes the behaviors and functionality each parameter of the `EditorPasteSettings` provides: -* `ConvertMsList` - `bool` - If set to `true`, MS Word lists will be converted into HTML lists. By default, Word's list are paragraphs with the respective styling which is not accurate in html. +* `ConvertMsList` - `bool` - If set to `true` (defaults to `true`), MS Word lists will be converted into HTML lists. By default, Word's list are paragraphs with the respective styling which is not accurate in html. * `RemoveHtmlComments` - `bool` - If set to `true`, comments will be removed from the HTML. For example, `

content

` will result in `

content

` * `RemoveAllAttributes` - `bool` - Determines whether all DOM attributes should be stripped. Takes precedence over `RemoveMsClasses`, `removeMsStyles`, `RemoveAttributes`. -* `RemoveMsClasses` - `bool` - If set to `true`, class attributes starting with `Mso` will be removed from the HTML. These are usually classes that come with content pasted from MS Word. For example, `

pasted from MS Word

` will result in `

pasted from MS Word

`. +* `RemoveMsClasses` - `bool` - If set to `true` (defaults to `true`), class attributes starting with `Mso` will be removed from the HTML. These are usually classes that come with content pasted from MS Word. For example, `

pasted from MS Word

` will result in `

pasted from MS Word

`. -* `RemoveMsStyles` - `bool`- If set to `true`, style attributes starting with `Mso` will be removed from the HTML. These are usually styles that come with content pasted from MS Word. For example, `

content

` will result in `

content

`. +* `RemoveMsStyles` - `bool`- If set to `true` (defaults to `true`), style attributes starting with `Mso` will be removed from the HTML. These are usually styles that come with content pasted from MS Word. For example, `

content

` will result in `

content

`. * `StripTags` - `List` - Specifies a list of tags to be removed from the HTML. Child nodes of removed tags will be kept in place. For example. when `StripTags` is `{ "span" }` , pasting `

content

` will result in `

content

`. @@ -69,6 +69,8 @@ For example, `

content

` will result in `

content

caution The content cleaning the editor performs happens on paste only. The user can still alter the HTML and if you are sending or receiving data over the wire, there is a chance such requests can be interecepted and altered maliciously. Therefore, the paste cleanup functionality of the editor cannot and does not replace content sanitization according to the application's standards and logic. > > @[template](/_contentTemplates/editor/general.md#app-must-sanitize-content) From 9beb85430b7afe91a45b85f52fd39b2169683407 Mon Sep 17 00:00:00 2001 From: Marin Bratanov Date: Wed, 17 Mar 2021 15:44:14 +0200 Subject: [PATCH 3/7] docs(editor): notes on pasting and behaviors --- components/editor/paste-cleanup.md | 48 +++++++++++++++++++++++++++--- 1 file changed, 44 insertions(+), 4 deletions(-) diff --git a/components/editor/paste-cleanup.md b/components/editor/paste-cleanup.md index 21b3aae730..34236d3e02 100644 --- a/components/editor/paste-cleanup.md +++ b/components/editor/paste-cleanup.md @@ -26,7 +26,9 @@ To control the behavior of the editor when content is pasted, you can set the de >caption Set pasting behaviors in the Telerik Editor ````CSHTML -@* Some sample paste cleanup settings to showcase their usage *@ +

Copy this paragraph that has some inline font and inline styles and paste it in the Editor.

+ +@* Some sample paste cleanup settings to showcase their usage- the first three ones are commonly used for MS Word and these are their default values *@ @@ -39,10 +41,15 @@ To control the behavior of the editor when content is pasted, you can set the de + +The editor content as a string so you can see the differences with the original content above: +
+@EditorValue + @code { public string EditorValue { get; set; } - public List RemoveAttributes { get; set; } = new List() { "onclick", "onerror" }; - public List StripTags { get; set; } = new List() { "font" } ; + public List RemoveAttributes { get; set; } = new List() { "data-id" }; + public List StripTags { get; set; } = new List() { "font" }; } ```` @@ -69,12 +76,45 @@ For example, `

content

` will result in `

content

caution The content cleaning the editor performs happens on paste only. The user can still alter the HTML and if you are sending or receiving data over the wire, there is a chance such requests can be interecepted and altered maliciously. Therefore, the paste cleanup functionality of the editor cannot and does not replace content sanitization according to the application's standards and logic. +### Content Sanitization + +>caution The content cleaning the editor performs happens on paste only. The user can still alter the HTML and if you are sending or receiving data over the wire, there is a chance such requests can be interecepted and altered maliciously if the application is not secured. Therefore, the paste cleanup functionality of the editor cannot and does not replace content sanitization according to the application's standards and logic. > > @[template](/_contentTemplates/editor/general.md#app-must-sanitize-content) + +The editor clears `