Is it safe to disable ViewState on the EnhancedTextEditor Control? Microsoft Security Advisory (2659883)

  •  01-10-2012, 12:50 PM

    Is it safe to disable ViewState on the EnhancedTextEditor Control? Microsoft Security Advisory (2659883)

    I'm bumping into issues with  Microsoft Security Advisory (2659883) as a result of uploading 785k html content.
     
    The viewstate on the control when re-rendered adds 1000+ viewstate elements, presumably mirroring the contents of the control, which causes the web server to throw an error when I try and post back an update.
     
    I'm finding that when I disable on the control, these form elements no longer render, and the problem goes away.
     
    If I do this:
    <CE:Editor ID="EnhancedTextEditor" runat="server" Height="500px" EnableViewState="false"....
     
    Will this behave nicely?  Will the editor work without viewstate enabled?
     
    I didn't see anything pre-existing in the forums related to disabling viewstate on the Editor control.
     Steps to reproduce:
    1) Start with an empty editor (no content inside) - upload about a megabyte of textual pure html information into the editor
    2) Re-render the page with the editor.  
    3) View Source
    4) validate that you have 1000+ __VIEWSTATE#### elements on your rendered page
    5) erase the contents of the editor, and put in a few characters to replace it
    6) post back - a patched web server should reject the request, not because of the new content, but because of all the old content stashed in viewstate.
     
     Thanks
View Complete Thread