This is very interesting.
I have created a system that allows users to edit site content using the RadEditor. I recently created an image gallery system, and I wanted to be able to allow users to embed an image viewer in their content, but since the content they enter is simply rendered on the page, I couldn't see a way to do this.
My solution was to add a little code into the portion of the page that I control. If the user were to create a control with a specific ID, I would create the image viewer on the server, and then put out some JavaScript that would move the viewer into that control.
This did the trick. However, I just recently stumbled upon the ParseControl method of the Page object. You can take the user-provided HTML, and create a control from it, and then add that control to an existing control on the page.
Of course, there are issues with this.
When the user is editing the content, they won't be able to see this control since it's not able to be parsed dynamically as it's being edited.
If the user is able to submit server-side code, which this effectively allows them to do, there is a real security concern, and some real precautions will need to be taken to make sure they don't cause problems.
I just stumbled across this and though I would share.,
--- A Little followup ---
I tested a little code that could be used to help lock this down some. I was thinking that since a server-side control is created from the ParseControl method, that I could examine the control and its children. You could traverse the control tree created by the ParseControl method and impose restrictions. For example, I could allow only LiteralControls and my Image Viewer. If anything else is discovered, I could disallow the input.
I have created a system that allows users to edit site content using the RadEditor. I recently created an image gallery system, and I wanted to be able to allow users to embed an image viewer in their content, but since the content they enter is simply rendered on the page, I couldn't see a way to do this.
My solution was to add a little code into the portion of the page that I control. If the user were to create a control with a specific ID, I would create the image viewer on the server, and then put out some JavaScript that would move the viewer into that control.
| If the user content includes a div with the id "ImageContainer" Then |
| Create the Image Viewer |
| Output some JavaScript that does something like |
| document.getElementById('ImageContainer').appendChild(document.getElementById('MyImageViewer')) |
| End If |
This did the trick. However, I just recently stumbled upon the ParseControl method of the Page object. You can take the user-provided HTML, and create a control from it, and then add that control to an existing control on the page.
| Dim UserContent as String |
| [Load User Content from Database] |
| Dim Ctrl as Control |
| Ctrl = Page.ParseControl(UserContent) |
| OutputDiv.Controls.Add(Ctrl) |
Of course, there are issues with this.
When the user is editing the content, they won't be able to see this control since it's not able to be parsed dynamically as it's being edited.
If the user is able to submit server-side code, which this effectively allows them to do, there is a real security concern, and some real precautions will need to be taken to make sure they don't cause problems.
I just stumbled across this and though I would share.,
--- A Little followup ---
I tested a little code that could be used to help lock this down some. I was thinking that since a server-side control is created from the ParseControl method, that I could examine the control and its children. You could traverse the control tree created by the ParseControl method and impose restrictions. For example, I could allow only LiteralControls and my Image Viewer. If anything else is discovered, I could disallow the input.