Security issue with the editor - html encoding from the view

Last post 03-12-2013, 11:56 AM by flashiedirk. 7 replies.
Sort Posts: Previous Next
  •  11-21-2012, 5:14 PM 75318

    Security issue with the editor - html encoding from the view

    Hi,

     

    i am using richttexteditor and i am getting this error

    A potentially dangerous Request.Form value was detected from the client (Editor="<p style="direction:...").

    while running:


                Editor editor = new Editor(System.Web.HttpContext.Current, "Editor");
                editor.ClientFolder = "/Scripts/richtexteditor/";
                string content = Request.Form["Editor"];

     

    i woul dlike to know how can i updat the editor to send encoded html to the controller.

    i prefer not to allow html into the controller by updating the application by adding this to the we.config"

    validateRequest=true"

     

    thank you

     

    Ori

     

    Filed under: ,
  •  11-21-2012, 8:46 PM 75319 in reply to 75318

    Re: Security issue with the editor - html encoding from the view

    Dear oslasi,

     

    please try to add the following code above your controller class.

     [ValidateInput(false)]

     

    Regard,

    Jeff

  •  11-22-2012, 5:31 AM 75325 in reply to 75319

    Re: Security issue with the editor - html encoding from the view

    Hi Jeff,

     

    when you allow html into your contoller you are open to javascript attaks, sql injection attaks, ext... all that you need to handle in the back end of your code.

    I prefer to block it and not allowing any html code into the back-end.

     

    I think we need to find a solution on the view. the editor needs to send encoded html back to the controller.

     

    is there any other solution?

     

    Thank You

    Ori

     

     

  •  11-22-2012, 8:12 AM 75331 in reply to 75325

    Re: Security issue with the editor - html encoding from the view

    Hi oslasi,

     

    Please set Editor1.EncodeHiddenValue = true;

     

    Regards,

     

    Ken

  •  03-07-2013, 12:45 PM 76997 in reply to 75331

    Re: Security issue with the editor - html encoding from the view

    Hi,

     

    I tried doing this (in my ASP.NET MVC 4 web app), but my text is getting all garbled.  I entered this in the editor:

     

          This should be bold - would it?

     

    But this is what arrives in the controller:

     

          #3nb#7p;Thi#7 #7h#5uld b#9 #1#7tr#5ng#2b#5ld#1/#7tr#5ng#2 - w#5uld it? 

     

    Is there anything obvious I'm doing wrong?

     

    Thanks,

    Dirk 

  •  03-07-2013, 8:20 PM 77001 in reply to 76997

    Re: Security issue with the editor - html encoding from the view

    Hi flashiedirk,

     

    I think you just did not use the correct method to get the editor content. Refer to the output_xhtml demo page. you can set the EncodeHiddenValue property for it and test it. the demo will output the correct code in the page. If it works for you too, please use the same way to get the editor content.

     

     

    public ActionResult output_xhtml()
            {
                Editor Editor1 = new Editor(System.Web.HttpContext.Current, "Editor1");
                Editor1.ClientFolder = "/Scripts/richtexteditor/";
                Editor1.EncodeHiddenValue = true;
                Editor1.MvcInit();
                ViewBag.Editor = Editor1.MvcGetString();
                return View();
            }


            [HttpPost]
            public ActionResult output_xhtml(string m = "")
            {
                Editor Editor1 = new Editor(System.Web.HttpContext.Current, "Editor1");
                Editor1.ClientFolder = "/Scripts/richtexteditor/";
                Editor1.EncodeHiddenValue = true;
                string content = Request.Form["Editor1"];
                if (!string.IsNullOrEmpty(content))
                {
                    Editor1.LoadFormData(content);
                    ViewBag._content = Editor1.XHTML;
                }
                Editor1.MvcInit();
                ViewBag.Editor = Editor1.MvcGetString();
                return View();
            }

    Regards,

     

    Ken 

  •  03-12-2013, 11:47 AM 77024 in reply to 77001

    Re: Security issue with the editor - html encoding from the view

    I see ... I didn't realize I had to use an editor instance to retrieve the value.  In theory this should work in a modelbinder too, right?  I'll give it a try.
  •  03-12-2013, 11:56 AM 77025 in reply to 77024

    Re: Security issue with the editor - html encoding from the view

    Hi,

     

    Yes, it works now - directly in the model binder.  I find it a bit weird that I need to use an instance of the editor to retrieve the text but it does work. 

View as RSS news feed in XML