Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Wednesday, March 4, 2009 2:32 PM
How can I allow html in text boxes for ASP.net Dynamic Data applications? I want to allow values such as "this text spans <br /> multiple <br /> lines".
Currently when I am editing a row and I try to save text that contains html I get either a javascript error or an error saying the server is trying to prevent malicious code. I know how to allow html input in regular webforms but I can't find information on how to do this with ASP.net Dynamic Data. Thanks in advance.
Thursday, March 5, 2009 11:30 AM ✅Answered
Thanks, ricka6. Your post led to the solution. I added ValidateRequets="false" to the page directive at the top of the page. Now it works.
<%@ Page Language="C#" MasterPageFile="~/Site.master" CodeFile="ListDetails.aspx.cs" Inherits="ListDetails" ValidateRequest="false" %>
Wednesday, March 4, 2009 2:47 PM
I would try using htmlencode. So grab the text in the text box use server.HtmlEncode(textbox.text.tostring()) then save that data. Of course when you display it back yout you have to HtmlDecode.
More info
http://msdn.microsoft.com/en-us/library/w3te6wfz.aspx
Wednesday, March 4, 2009 2:58 PM
That is the way to do it in webforms. My question is specifically about ASP.net Dynamic Data. If that works with DD then where do you write the HtmlEncode()?
Wednesday, March 4, 2009 3:20 PM
Ah sorry my mistake, without seeing the code I can't tell, but I would imagine creating an event handler that runs when the update method is called that takes the string in question does the operation needed on it and returns the encoded string to the update method. Another thing I would try is using javascript escape() or encodeuri() functions on the text area before it hits the update method. Other than that I'll be watching this thread also to see if there is a straightforward way for doing this.
Wednesday, March 4, 2009 4:35 PM
Please have a look here: http://weblogs.asp.net/lduveau/archive/2008/11/28/customizing-asp-net-dynamic-data.aspx
It might point you in the right direction.
Thanks, Jean
Wednesday, March 4, 2009 4:48 PM
Jean, thank you for the link. There is some cool information there but I did not see anything related to html in text boxes. Is there some related information that you saw?
Wednesday, March 4, 2009 5:28 PM
Hi Dan,
My apologies, I was searching for something similiar and came accross that, I though you were looking for plain string formatting. Woops..!
Could you not try to override the ToString property on the entity?
Here is an example, but instead of retuning a String.Format, you return the HtmlEncode(yourvalue)
1: [MetadataType(typeof(EmployeeMetadata))]
2: public partial class Employee
3: {
4: public override string ToString()
5: {
6: return string.Format("{0} {1}", this.FirstName, this.LastName);
7: }
8: }
It's my best shot (I feel bad for giving you false hope... [;)])
Regards, Jean.
Wednesday, March 4, 2009 5:50 PM
The neat thing about using the ToString override is that it will work in both EF and L2S [:D]
Wednesday, March 4, 2009 6:17 PM
@Jean, that overrides the ToString() method for the entire class. Unless I am missing something that does not work for updating certain fields. Is this what you had in mind?
1 [MetadataType(typeof(ProductMetadata))]
2 public partial class Product
3 {
4 public override string ToString()
5 {
6 return HttpUtility.HtmlEncode(this.Description);
7 }
8 }
If so, this does not allow HTML to be inserted into text boxes. It does not work.
Wednesday, March 4, 2009 6:35 PM
You probably need to set validateRequest="False" in your edit page template. You then need <b> to be displayed as <b>
Thursday, March 5, 2009 1:49 AM
Dan,
I am merely pointing you in the direction I would have taken as I have never worked with this issue before.
I have however worked with showing raw XML markup in a texbox on a gridview, and in that case the validateRequest as suggested by Rick kind of worked, but it has it's limitations.
Is your html markup stored in the DB?
You could also try hacking the ToString override to only return a HtmlEncoded value when it finds characters like < or >. In other words put a nice big IF ELSE around your return and check for it with something like:
If (this.Description.Contains("<"))
{
return HttpUtility.HtmlEncode(this.Description);
}
else
{
return (this.Description);
}
Obviously I'm not the expert here, but hey I'm trying. [;)]
Let me know, Regards Jean
Thursday, March 5, 2009 7:01 PM
- I would limit validateRequest="false" as much as possible. In my sample I used it only on the Edit page template.
- You might want to use some anti-XSS library to validate input as safe.
- I used Server.HtmlEncode to encode the HTML tags
What modification did you use so you can input <b> and display it as <b> and not the HTML entities <b>
Thursday, March 5, 2009 11:47 PM
1. I would limit validateRequest="false" as much as possible. In my sample I used it only on the Edit page template.
Why would you limit it? Is there a security issue you are concerned about? If so, what?
2. You might want to use some anti-XSS library to validate input as safe.
What is an anti-XSS library? Can you provide a list of anti-XSS library options?
3. I used Server.HtmlEncode to encode the HTML tags. What modification did you use so you can input <b> and display it as <b> and not the HTML entities <b>
I did not use either Server.HtmlEncode or Server.HtmlDecode. This is because <b> is a valid entry in my database. Less than and greater than symbols can be stored in text columns.
Friday, March 6, 2009 12:00 AM
see How To: Prevent Cross-Site Scripting in ASP.NET and Microsoft Anti-Cross Site Scripting Library V1.5: Protecting the Contoso Bookmark Page
If you are creating an internal/intra-net site and trust your uses, your probably OK.
Friday, March 6, 2009 12:26 PM
This is for an internal app so we are cool. Also, supporting the entry of XML elements is required in this system. It is not optional. Just to be sure we were protected I simulated a malicious attack. I saved the script below into a text column and displayed it using Dynamic Data. It did not have any adverse consequences.
<script>alert('hello');</script>