Even though some people debate the effectiveness of the request validation that comes built into ASP.NET, you get it for free so it makes sense to use it. So when working with a HTML editor which is going to be posting back “potentially dangerous HTML” you’ll probably want to use an editor which lets you encode its content, like TinyMCE does via its XML encoding. If you’re interested and haven’t used its XML encoding before then you can read more about it here) in order to avoid disabling request validation.
Normally this all works well, however it seems that when you throw TinyMCE’s fullpage plugin into the mix things start to go a little awry. The fullpage plugin lets you do exactly what its name suggests – edit a full page of HTML, including doctype declarations and all the tags you’d expect with a full HTML page versus a snippet of HTML as you’re often dealing with in a typical CMS scenario. As soon as I’ve got the fullpage plugin in the mix then the XML encoding option seems to be ignored.
Here’s some snippets from a couple of quick fiddler debug requests:
Firstly, without the fullpage plugin, you can see encoding such as %26lt in affect:
txtTemplateBody=%26lt%3Bp%26gt%3B%5BCreditNoteId%5D%26lt%3B%2Fp%26gt%3B%0D%0A%26lt%3Bp%26gt%3B%26amp%3Bnbsp%3B%5BCustomerInvoiceId%5D%26lt%3B%2Fp%26gt%3B%0D%0A%26lt%3Bp%26gt%3B%5BCreditNoteAmountIncludingVat%5D%26lt%3B%2Fp%26gt%3B%0D%0A%26lt%3Bp%26gt%3B%26amp%3Bnbsp
Next, I add the fullpage plugin back in, and bam:
txtTemplateBody=%3C%21DOCTYPE+html+PUBLIC+%22-%2F%2FW3C%2F%2FDTD+XHTML+1.0+Transitional%2F%2FEN%22+%22http%3A%2F%2Fwww.w3.org%2FTR%2Fxhtml1%2FDTD%2Fxhtml1-transitional.dtd%22%3E%0D%0A%3Chtml%3E%0D%0A%3Chead%3E%0D%0A%3Ctitle%3EUntitled+document%3C%2Ftitle%3E%0D%0A%3C%2Fhead%3E%0D%0A%3Cbody%3E%0D%0A%26lt%3Bp%26gt%3BHello%26lt%3B%2Fp%26gt%3B%0D%0A%3C%2Fbody%3E%0D%0A%3C%2Fhtml%3E
Obviously the HTML is different as the second example, but otherwise the only difference is the addition of the plugin.
Right now, I need a bit more time to do a little more testing to confirm that I’ve not overlooked anything obvious, which is the reason of this post – to harness the power of the Internets! Come forth you .NET TinyMCE gurus, and tell me: am I missing something obvious here, or have I stumbled onto a bug?
Tags: ASP.NET, Web Development
About me
My name is Ross Hawkins and I'm a developer, consultant, business owner and writer based in Auckland,
New Zealand (pictured below!). My current work revolves around ASP.NET, C#, jQuery, Ajax,
SQL Server, and a mix of other Microsoft development technologies.
I also have about 15 years of experience with IBM Lotus Notes/Domino and associated technologies. While Notes/Domino
is no longer my primary focus I still like to dabble and keep my skills up to date.
I own and run 2 businesses - Hawkins Consulting Services,
and Ignition Development.
Search
Popular Content
Troubleshooting WebResource.axd
The .NET 2.0 framework changed the way clientside JavaScript is
delivered to the browser. Previously, ASP.NET 1.1 used the
aspnet_client directory whereas now 2.0 uses WebResource.axd.
Published on October 8, 2006
jQuery Wildcard Selectors - some simple examples
I wrote about jQuery wildcard selector syntax briefly back in 2009, and since then that post has received a lot of views – way more than a post that brief should ever have seen..
Published on October 14, 2011
Microsoft AJAX Extensions: Sys.Debug is null or not an object
One of the breaking changes which was made with
the 1.0 release of the Microsoft Ajax Extensions was the renaming
of the 'Debug' class to 'Sys.Debug' for reasons of compatiability
with other frameworks. Breaking changes like this can often be a source of frustration..
Published on May 22, 2007
Simple ASP.NET Character Counter
A textbox character counter is a pretty simple piece of functionality, and there's a lot of different ways to apply one to your application. The following method is nice and simple, and can be done using only clientside JavaScript if required, or combined with server side code in order to create a more dynamic effect
Published on December 4, 2006
Adding Tooltips to Gridview Headers
As the title says, this is a very simple but dynamic way of achieving tooltip text on a header column. It's not overly flash, but it's lightweight and quick to implement.
Published on April 15, 2007
Archives
May, 2012 (1)
April, 2012 (4)
March, 2012 (2)
February, 2012 (4)
January, 2012 (3)
December, 2011 (3)
November, 2011 (8)
October, 2011 (9)
September, 2011 (8)
August, 2011 (5)
July, 2011 (4)
June, 2011 (7)
May, 2011 (5)
April, 2011 (3)
March, 2011 (8)
February, 2011 (4)
January, 2011 (3)
December, 2010 (8)
November, 2010 (5)
October, 2010 (6)
September, 2010 (7)
August, 2010 (11)
July, 2010 (12)
June, 2010 (8)
May, 2010 (8)
April, 2010 (4)
March, 2010 (8)
February, 2010 (6)
January, 2010 (12)
December, 2009 (13)
November, 2009 (11)
October, 2009 (12)
September, 2009 (12)
August, 2009 (2)
July, 2009 (7)
June, 2009 (12)
May, 2009 (9)
April, 2009 (9)
March, 2009 (9)
February, 2009 (8)
January, 2009 (7)
December, 2008 (6)
November, 2008 (7)
October, 2008 (9)
September, 2008 (12)
August, 2008 (9)
July, 2008 (6)
June, 2008 (24)
May, 2008 (13)
April, 2008 (16)
March, 2008 (8)
February, 2008 (10)
January, 2008 (1)
December, 2007 (14)
November, 2007 (11)
October, 2007 (11)
September, 2007 (13)
August, 2007 (11)
July, 2007 (5)
June, 2007 (15)
May, 2007 (11)
April, 2007 (9)
March, 2007 (9)
February, 2007 (10)
January, 2007 (8)
December, 2006 (18)
November, 2006 (11)
October, 2006 (14)
September, 2006 (9)
August, 2006 (10)
July, 2006 (4)
June, 2006 (4)
May, 2006 (6)
April, 2006 (3)
February, 2006 (6)
January, 2006 (10)
September, 2005 (2)
August, 2005 (4)
Post Categories
ASP.NET
AJAX
Amusing
NZ
NZ Trains
Notes/Domino
Visual Studio
Web Development
Miscellaneous
Me
Rugby
C#
SQL