Opened 17 years ago

Closed 16 years ago

#294 closed New Feature (fixed)

ValidateRequest="true" problem how to avoid for ASP.NET developers...

Reported by: Demon Owned by: Frederico Caldeira Knabben
Priority: Normal Milestone: FCKeditor.Net 2.5
Component: Server : ASP.Net Version:
Keywords: Cc: frobijn@…

Description

Hello for all FCKeditor developer guys.

I interesting why nead ValidateRequest set to false using ASP.NET, why not simple integrate into Base64 encoded content, then this problem wasn't actually and all Base64 to do poor javascript, so on request GET or POST content would be encripted in Base64, also this no nead ValidateRequest to set to false, and Base64 decoded automaticly on server side. What do you think about that feature for ASP.NET developers?

P.S. sorry for my bad english :]

Change History (4)

comment:1 Changed 17 years ago by Alfonso Martínez de Lizarrondo

Cc: frobijn@… added

In ASP.NET. server-side request validation does not accept the FCKeditor value because of the embedded HTML tags.

Setting ValidateRequest="false" works, but is a bad (unsecure) solution. Rather, it would be helpful to have an option to make the FCKeditor value safe. This can be done quite easily (tested in IE 6 and Firefox 1.0):

  • In fckconfig.js, add:
    // Enable ASP.NET support
    FCKConfig.EnableASPNet = true;
    
  • In internals\fcktools.js, change:
    FCKTools.SetLinkedFieldValue = function( value )
    {
      if (FCKConfig.EnableASPNet)
      {
        FCK.LinkedField.value = value.replace(/&/gi, '&amp;').replace(/\""/gi, '&quot;').replace(/</gi, '&lt;').replace(/\>/gi, '&gt;');
      }
      else
      {
        FCK.LinkedField.value = value;
      }
    }
    
  • In FCKEditor.cs, change the LoadPostData method:

Replace:

Value = postCollection[postDataKey];

By:

string sValue = postCollection[postDataKey];
if (sValue != null)
{
  sValue = sValue.Replace ("&lt;","<").Replace("&gt;",">").Replace ("&amp;","&");
}
Value = sValue;

Moved from Sourceforge https://sourceforge.net/tracker/index.php?func=detail&aid=1121858&group_id=75348&atid=543656 Original Poster Frank Robijn

comment:2 Changed 17 years ago by Frederico Caldeira Knabben

Milestone: FCKeditor 2.5

My proposal is to add a setting called "HtmlEncodeOutput", which makes the magic before updating the hidden field. So, one can decide when to use it or not. We must remember to check it when using ReplaceTextarea(), as I have the impression that textareas does that by default.

Then, we should update FCKeditor.Net to always enable HtmlEncodeOutput, and process the posted data similarly to the above proposition. The only problem with it is that FCKeditor.Net would became incompatible with previous versions of FCKeditor.

comment:3 Changed 17 years ago by Frederico Caldeira Knabben

Milestone: FCKeditor 2.5FCKeditor.Net 2.3

Ticket #1266 has been opened for the HtmlEncodeOutput feature. In this way we can separate the tasks to the appropriate milestones.

comment:4 Changed 16 years ago by Frederico Caldeira Knabben

Resolution: fixed
Status: newclosed

Fixed with [1172].

The HtmlEncodeOutput setting is now enforced by the editor component, so we are not anymore dependent on the ValidateRequest setting.

Note: See TracTickets for help on using tickets.
© 2003 – 2022, CKSource sp. z o.o. sp.k. All rights reserved. | Terms of use | Privacy policy