Hi All,

I have an HTML Editor. I've made it into a .NET control (.ascx) so I can use it in multiple projects. The editor comprises of a bunch of Javacript run buttons to control the bold, underline, etc and an iFrame that is edittable. In order to capture the HTML out of the editor for use in the VB backcode of the ASPX page, I have to add a onclick Javascript handle on the page's submit button that takes the HTML out of the iFrame and injects it into a server-side hidden field. This works great, except when the HTML gets more complicated.

If a user puts anything in the iFrame that ASP sees as possibly malicious, I get flagged about it and the page shuts down. For instance, if I put in

asdf

asdf

and submit, it sees the < of the HTML as malicious because it could lead to server-side code execution. What usually happens is that ASP.NET HTML encodes everything so the < becomes "&lt;" instead so no code can execute. Originally, I had a javascript function that just swapped out all of this so avoid it, but Javascript can easily be fooled with the right tools.

So the question comes down to, how can I grab this info and SECURILY encode it so my injection doesn't fail? Remember that the whole injection takes place inside Javascript, thus presenting the entire problem!

Or, if you can think of a better way to pull this off, please tell!!

TIA,
Matt