Ticket #294 (closed New Feature: fixed)

Opened 6 years ago

Last modified 5 years ago

ValidateRequest="true" problem how to avoid for ASP.NET developers...

Reported by: demo1 Owned by: fredck
Priority: Normal Milestone: FCKeditor.Net 2.5
Component: Server : ASP.Net Version:
Keywords: Cc: frobijn@…

Description

Hello for all FCKeditor developer guys.

I interesting why nead ValidateRequest set to false using ASP.NET, why not simple integrate into Base64 encoded content, then this problem wasn't actually and all Base64 to do poor javascript, so on request GET or POST content would be encripted in Base64, also this no nead ValidateRequest to set to false, and Base64 decoded automaticly on server side. What do you think about that feature for ASP.NET developers?

P.S. sorry for my bad english :]

Change History

comment:1 Changed 6 years ago by alfonsoml

  • Cc frobijn@… added

In ASP.NET. server-side request validation does not accept the FCKeditor value because of the embedded HTML tags.

Setting ValidateRequest="false" works, but is a bad (unsecure) solution. Rather, it would be helpful to have an option to make the FCKeditor value safe. This can be done quite easily (tested in IE 6 and Firefox 1.0):

  • In fckconfig.js, add: 
    // Enable ASP.NET support
FCKConfig.EnableASPNet = true;
  • In internals\fcktools.js, change: 
    FCKTools.SetLinkedFieldValue = function( value )
{
  if (FCKConfig.EnableASPNet)
  {
    FCK.LinkedField.value = value.replace(/&/gi, '&amp;').replace(/\""/gi, '&quot;').replace(/</gi, '&lt;').replace(/\>/gi, '&gt;');
  }
  else
  {
    FCK.LinkedField.value = value;
  }
}
  • In FCKEditor.cs, change the LoadPostData method:

Replace: 

Value = postCollection[postDataKey];

By: 

string sValue = postCollection[postDataKey];
if (sValue != null)
{
  sValue = sValue.Replace ("&lt;","<").Replace("&gt;",">").Replace ("&amp;","&");
}
Value = sValue;

Moved from Sourceforge https://sourceforge.net/tracker/index.php?func=detail&aid=1121858&group_id=75348&atid=543656 Original Poster Frank Robijn

comment:2 Changed 6 years ago by fredck

  • Milestone set to FCKeditor 2.5

My proposal is to add a setting called "HtmlEncodeOutput", which makes the magic before updating the hidden field. So, one can decide when to use it or not. We must remember to check it when using ReplaceTextarea(), as I have the impression that textareas does that by default.

Then, we should update FCKeditor.Net to always enable HtmlEncodeOutput, and process the posted data similarly to the above proposition. The only problem with it is that FCKeditor.Net would became incompatible with previous versions of FCKeditor.

comment:3 Changed 6 years ago by fredck

  • Milestone changed from FCKeditor 2.5 to FCKeditor.Net 2.3

Ticket #1266 has been opened for the HtmlEncodeOutput feature. In this way we can separate the tasks to the appropriate milestones.

comment:4 Changed 5 years ago by fredck

  • Status changed from new to closed
  • Resolution set to fixed

Fixed with [1172].

The HtmlEncodeOutput setting is now enforced by the editor component, so we are not anymore dependent on the ValidateRequest setting.

Note: See TracTickets for help on using tickets.
© 2003 – 2012 CKSource – Frederico Knabben. All rights reserved. | Terms of use | Privacy policy