This is a migrated thread and some comments may be shown as answers.

HtmlEncode

11 Answers 318 Views
Editor
This is a migrated thread and some comments may be shown as answers.
Jason Lee
Top achievements
Rank 1
Jason Lee asked on 14 Sep 2008, 08:11 AM
Dear Sir,

It seems radEditor use htmlencode method to encode content of editor. 

The following is my code:

                    <telerik:RadEditor ID="radEditor" runat="server" ContentAreaCssFile="~/common/css/editor.css"
                         ToolsFile="~/common/config/toolsfile.xml" ContentFilters="RemoveScripts"
                        EditModes="Design" >

Is it possible to turn the feature off?  The reason I want to turn it off because I want to implemented my own HtmlEncode ( Server.htmlEncode is not good enough).

In Fact, I can use htmldecode to solve the problem, but it waste on performance.

Thank you~

11 Answers, 1 is accepted

Sort by
0
George
Telerik team
answered on 16 Sep 2008, 01:27 PM
Hi Jason,

Currently there is no way to disable the editor's encoding feature.


Sincerely,
George
the Telerik team

Check out Telerik Trainer, the state of the art learning tool for Telerik products.
0
Jason Lee
Top achievements
Rank 1
answered on 16 Sep 2008, 05:30 PM
Dear George,

Is it possible to add the feature in Q3 release, please?
0
Jason Lee
Top achievements
Rank 1
answered on 19 Sep 2008, 03:46 AM
Any suggestion??
0
George
Telerik team
answered on 19 Sep 2008, 07:34 AM
Hi Jason,

Note that, the RadEditor's content is not sent to the server as HTML - if you try to send a POST value as HTML, a "Potentially dangerous request" exception generated by the .NET framework (you can test that by entering HTML in a regular asp:TextBox). Hence, the content is being encoded.

In general, you are the first customer asking for this feature and due to this, it is with very low priority. Could you please clarify are there any problems with the editor's encoding. Why do you want to use your custom encoding. What do you mean with "not good enough"?

Kind regards,
George
the Telerik team

Check out Telerik Trainer, the state of the art learning tool for Telerik products.
0
Jason Lee
Top achievements
Rank 1
answered on 19 Sep 2008, 08:23 AM
Dear George,

Although HttpUtility.HtmlEncode/HttpUtility.UrlEncode methods prevent XSS vulnerabilities when characters like "<", ">" and "&" are used, but they can be vulnerable when user input contains characters outside of this limited set of characters. Below is an example which shows how a code can be vulnerable even after using HttpUtility.HtmlEncode method.

Reference:
http://blogs.msdn.com/cisg/archive/2008/08/28/output-encoding.aspx



Yes, you are right.  Asp.net can't postback the content with html tag if protection turns on.  Therefore, you guys probably encoding the content in client-side, right?  If it encodes in client-side, then my question is changed.

Can I use HtmlDecode method to decode the content completely?
If it does, then I will decode it first and encode it by my own way...

Thank you 
0
George
Telerik team
answered on 23 Sep 2008, 01:26 PM
Hi Jason,

Obviously to transfer the content from client to sever it needs to be encoded first. Then the content is decoded on the server. This is done by using a custom encoding/decoding functionality, similar but not the same as 
HtmlDecode / HtmlEncode / decodeURI component / encodeURI component.

We would like to move this theoretical discussion to more practical ground.

You can encode decode anyway you want... Are there any problems using RadEditor's built-in encode/decode mechanism? If yes, please open a support ticket and send us a sample runnable project where the problem can be reproduced. We will check it locally and do our best to provide a solution.

Regards,
George
the Telerik team

Check out Telerik Trainer, the state of the art learning tool for Telerik products.
0
George
Telerik team
answered on 29 Sep 2008, 02:25 PM
Hi Jason,

For your convenience, I prepared a simple sample project that demonstrates how to achieve the desired behavior. Please use it as a base and extend it so that to best fit your scenario.

I hope this helps.

All the best,
George
the Telerik team

Check out Telerik Trainer, the state of the art learning tool for Telerik products.
0
Jason Lee
Top achievements
Rank 1
answered on 01 Oct 2008, 03:30 AM
Dear George,

oops....I look at your example.  You want me to encode my content in client-side javascript? If it is, that's not what I am looking for.

I am looking for a decode method in server-side that I can decode radeditor's content back and I can encode it by my own way.

The reason I want to decode content back because I want to encode every character in the content instead of a few character, such as "< > ' % ".  That's will be more safety.

I have read the content that I get from radeditor.content property.  It has already encode at least "< >" character.  So, I have to decode it back first, right?  Otherwise, I use my method to encode it again.  It will show a problem because the content is encoded twice.

Thank you

0
Tervel
Telerik team
answered on 01 Oct 2008, 06:18 AM
Hi Jason,

Please excuse us for not providing enough explanations in our latest answer.

The code that we sent you demonstrates how to change (e.g "encode") the editor's content on the client just before it is submitted. This will allow you to apply any encoding mechanism of your choice to make the content "safe" for sending. Then, of course, the editor will further encode your encoded content - as the editor's encoding mechanism cannot be bypassed.

On the server, the editor will decode the content first - and then you will be able to read from it your own encoded content - which you will be able to decode with your own server-side decoding mechanism - and finally receive the original content.

Essentially, what we demonstrate in this example is the ability to add your encoding mechanism, and not to bypass the editor encoding mechanism. This is the only way to achieve the behavior you are looking for, as the editor's encoding mechanism cannot be stopped, bypassed, or replaced.


Regards,
Tervel
the Telerik team

Check out Telerik Trainer, the state of the art learning tool for Telerik products.
0
Jason Lee
Top achievements
Rank 1
answered on 01 Oct 2008, 09:12 AM
Dear Tervel,

Thank you for your support...

Tags
Editor
Asked by
Jason Lee
Top achievements
Rank 1
Answers by
George
Telerik team
Jason Lee
Top achievements
Rank 1
Tervel
Telerik team
Share this question
or