[2005] HTML Editor Problem HELP NEEDED ASAP

[mulhearn22]

Hi All,

I have an HTML Editor. I've made it into a .NET control (.ascx) so I can use it in multiple projects. The editor comprises of a bunch of Javacript run buttons to control the bold, underline, etc and an iFrame that is edittable. In order to capture the HTML out of the editor for use in the VB backcode of the ASPX page, I have to add a onclick Javascript handle on the page's submit button that takes the HTML out of the iFrame and injects it into a server-side hidden field. This works great, except when the HTML gets more complicated.

If a user puts anything in the iFrame that ASP sees as possibly malicious, I get flagged about it and the page shuts down. For instance, if I put in

asdf

asdf

and submit, it sees the < of the HTML as malicious because it could lead to server-side code execution. What usually happens is that ASP.NET HTML encodes everything so the < becomes "&lt;" instead so no code can execute. Originally, I had a javascript function that just swapped out all of this so avoid it, but Javascript can easily be fooled with the right tools.

So the question comes down to, how can I grab this info and SECURILY encode it so my injection doesn't fail? Remember that the whole injection takes place inside Javascript, thus presenting the entire problem!

Or, if you can think of a better way to pull this off, please tell!!

TIA,
Matt

[gep13]

Hey,

I am not sure about the answer to your question, but I thought I would offer a suggestion....

Is there a reason why you are creating your own version of something that is out there that has been tried and tested? Namely, FreeTextBox and FCKEditor.

Just a thought.

Gary

[mendhak]

Either I understood it wrong or you have it wrong... you're making an HTML editor, but are you saying that you want to prevent any HTML from being inserted?

Assuming a resounding no in answer to that question, you will need to disable request validation. Add

validateRequest="false"

In the Page directive. You can also take another step and HtmlEncode() all the data you receive from the editor. Javascript has an HtmlEncode or escape method that you could use.

[mulhearn22]

Mendhak,

It's not an HTML Editor like they input HTML and get an output, it's that the box acts like an HTML Editor in that you can manipulate text format and it output the respective HTML. For instance, this reply box I'm typing in allows you to Bold, Italic, change font colors, add hyperlinks, etc. If a user changes the font color, it's reflected in the HTML output of this box.

The only way I found to have an HTML Editor that runs on Javascript and have the HTML output accessible by the backcode was to add a function on a submit button that injects the HTML output in a hidden field that on postback I could then grab with the VB backcode. The only problem is, is that that allows code execution. So if a user puts in <script>alert('hello');</script>, that would run on postback.

I could escape the code, but the company I'm working for does not like using Javascript to secure anything on its own because there are too many tools out there to fool around with Javascript maliciously. So I need a way to secure the HTML injection into the hidden field.

I hope that made things more clear. I look forward to your view on this.

TIA,
Matt

[mendhak]

What you're describing is an HTML Editor. WYSIWYG.

It seems like your main problem is the insertion of JavaScript, you're fine with all other HTML.

You should probably run some regex that strips the <script></script> from the hidden field. This would mean looking for any on* attributes of form fields

Code:

<input type="text" onclick="somejavascripthere" />

Or plain script tags

Code:

<script blah blah >
</script>