CKEditor 4
Tue, 11/15/2005 - 10:15
#1
johnludlow
johnludlow's picture
Joined: 15/11/2005
Posts: 3

ASP.NET error: dangerous HTML (newbie q)

Hi, there. I'm pretty new to ASP.NET, but I'm working on a very simple dynamic website (almost a wiki but not quite).

I've managed to set it up so that it will dynamically read and display content loaded from XML files, and I have an edit page with a FckEditor box on, which correctly loads the content of the page you are trying to edit.

The problem is that as soon as I put in any HTML stuff, it complains (quite rightly, I guess) about potentially dangerous HTML code:

A potentially dangerous Request.Form value was detected from the client (FCKeditor1="<p>Hello World!</p> ...").

I have a Save button, and was thinking of using Server.HtmlEncode in there to convert it to safer HTML, but it's not even getting there. FckEditor is returning it as HTML to my page, and that's causing it to bomb out.

Is there a way to get this to work? I was hoping that there was a setting on FckEditor to return encoded text, but I can't find it.

If not, I'll just have to use a stylesheet (I saw the stylesheet options) or something to change all the special characters to safe text.

Is that the best way to do it? Or would a better way be to come up with a Wiki-style syntax of my own?
Top
Tue, 11/15/2005 - 10:39
alfonsoml
alfonsoml's picture
Joined: 31/12/2006
Posts: 3735

RE: ASP.NET error: dangerous HTML (newbie q)


https://sourceforge.net/tracker/index.p ... tid=543656
Top
Wed, 11/16/2005 - 01:48
johnludlow
johnludlow's picture
Joined: 15/11/2005
Posts: 3

RE: ASP.NET error: dangerous HTML (newbie q)

:)
Top
Wed, 11/16/2005 - 04:21
johnludlow
johnludlow's picture
Joined: 15/11/2005
Posts: 3

RE: ASP.NET error: dangerous HTML (newbie q)

Erm, the bad workaround (disabling validation) given on that bug report works, but it's well, bad. The slightly better workaround (adding code to the FckEditor javascripts) is confusing because some of the functions it talks about can't be found in the FckEditor code.

For example, I stumble when I try to change the FCKTools.SetLinkedFieldValue, because this function doesn't seem to exist. I'm trying to work out where this functionality might have been moved to, but a search in all files for SetLinkedFieldValue doesn't return anything.

One other thing: There seems to already be a HTMLEncode function in the javascript. This seems to be used for maintaining styles when pasting into the editor, and I suppose for converting HTML entered into the WYSIWYG portion of the editor, but is there any reason it couldn't be used for making the output HTML safe? I can make this change myself if you tell me where the correct function is that returns the text
Top
Tue, 11/29/2005 - 10:40
gmccull
gmccull's picture
Joined: 29/11/2005
Posts: 1

RE: ASP.NET error: dangerous HTML (newbie q)

John, did you ever figure out how to get this to work? I'm having the same problem. Disabling pageValidation is dumb.
Top
Tue, 03/28/2006 - 09:08
andarial
andarial's picture
Joined: 28/03/2006
Posts: 5

RE: ASP.NET error: dangerous HTML (newbie q)

Top
Fri, 10/27/2006 - 03:18
toadicusrex
toadicusrex's picture
Joined: 09/03/2007
Posts: 9

RE: ASP.NET error: dangerous HTML (newbie q)

This doesn't address the problem. Saving to the database is not in question here, it's getting the value from the posted request without disabling the built-in MS protection for scripting hacks.

I'm looking for a solution too....
Top
Fri, 10/27/2006 - 05:06
toadicusrex
toadicusrex's picture
Joined: 09/03/2007
Posts: 9

RE: ASP.NET error: dangerous HTML (newbie q)

Well... in case anyone is still looking for this and just can't get it working.... here's the simple solution, without modifying the fckeditor files (which I find appalling, to be sure... what if he puts out a new release?) This, unfortunately, came after beating my head over this for hours and hours and hours, but it's working perfectly now.

Basically, I'm just using the javascript escape function to encode the html. Presently I'm using C# to handle the back end in an ASP.NET solution. More specifically, I've wrapped the FCKEditor into a very functional and highly amusing control, which now works like I wanted. And yeah, if you ask, I might share.

Using the new event handlers from the fckeditor, we find this:

<script language="javascript">
function FCKeditor_OnComplete(editorInstance)
{
editorInstance.Events.AttachEvent('OnAfterLinkedFieldUpdate',escapeValue)
}
function escapeValue(editorInstance)
{
editorInstance.LinkedField.value = escape(editorInstance.LinkedField.value);
}
</script>

and yeah, from the guy that posted, the SetLinkedFieldValue function is gone, I looked for it and tried that solution too, it's no good anymore. But this one works, and is much more aesthetically pleasing (and leaves the fckeditor source files alone). In the "escapeValue" function, just encode the html how you want it... I like "escape" because it works really well, but you don't have to... it does make the encoding much larger. So do what you want. I'm feeding the control unescaped code from the database (pre-unescaped) so the only thing I have to do here is escape it.

Good luck!
Top
Twitter Facebook Facebook Instagram Medium Linkedin GitHub Arrow down Phone Menu Close icon Check