Adding Dynamic Content when inserting a hyperlink

Hi there,

Can someone please tell me how I could add some ASP Code into a href in FCK. For instance when I wish to add a link I need the URL to be dynamic depending on certain circumstances. When I type <%= LinkVariable %> into the URL textbox the code is changed to HTML Unicode. How can I get round this?

Do I need to comment or un comment:

FCKConfig.ProtectedSource.Add( /<%[\s\S]*?%>/g ) ;   // ASP style server side code <%...%

>

I've even tried adding <% Response.Write("Hello World") %> to the source of my textbox content but this doesn't work either.

Any ideas anyone?

Tue, 10/27/2009 - 20:51

dtleahy

Joined: 09/01/2009

Posts: 50

Re: Adding Dynamic Content when inserting a hyperlink

I see that

<a href="<%=(LinkVariable)%>">blabla</a>

is being changed to

<a href="&lt;%=(LinkVariable)%&gt;">blabla</a>

You got me curious, so I tested it, and if the code is inserted onto the page with the escaped HTML, sure enough, it does not work (the ASP code is not fully rendered early enough to be interpreted server-side.)

On the other hand, if the escaped code was saved in a database and was then coming from a (server-side) database and being written to the page, I would think it would render the ASP code correctly. I'd have to try it to be sure, but I wonder if you were careful to get the code sequence correct, would it still work?

If there is not a configuration solution to make the editor stop translating the < and > symbols in a dynamic link, then my suggestion would be to write a replace function. (ASP/VBScript replace shown below) similar to the one you should be using to prevent SQL injection. If your users are typing in data that is going into a database, then, just add it to your existing function:

Private Function preventInjection(ByRef theString)
theString = Replace(theString, "--", "&#45;&#45;") 'removes double dash sql comment
theString = Replace(theString, "&lt;", "<") 'replaces <
theString = Replace(theString, "&gt;", ">") 'replaces >
theString = Replace(theString, "'", "&#39;") 'removes lone apostrophe's '
preventInjection = theString
End Function

(I know there are several ways to remove lone apostrophes - yours may be different than above.)

If you are using the HTML output directly from the editor and "pasting" it onto a page, then I would add just the < and > replace functions as an intermediate processing step in the POST event.

If you want to only use the replace function for replacing < and > when they are part of an ASP variable, you could be more specific:

Private Function preventInjection(ByRef theString)
theString = Replace(theString, "--", "&#45;&#45;") 'removes double dash sql comment
theString = Replace(theString, "&lt;%=", "<%=") 'replaces <%=
theString = Replace(theString, "=&gt;", "=>") 'replaces =>
theString = Replace(theString, "'", "&#39;") 'removes lone apostrophe's '
preventInjection = theString
End Function

HTH,

Dennis