This is a migrated thread and some comments may be shown as answers.

Using RadEditor to edit content with embedded server-side controls via Page.ParseControl

0 Answers 52 Views
Editor
This is a migrated thread and some comments may be shown as answers.
LeBear
Top achievements
Rank 1
LeBear asked on 06 Dec 2008, 07:30 PM
This is very interesting.

I have created a system that allows users to edit site content using the RadEditor.  I recently created an image gallery system, and I wanted to be able to allow users to embed an image viewer in their content, but since the content they enter is simply rendered on the page, I couldn't see a way to do this.

My solution was to add a little code into the portion of the page that I control.  If the user were to create a control with a specific ID, I would create the image viewer on the server, and then put out some JavaScript that would move the viewer into that control.

If the user content includes a div with the id "ImageContainer" Then 
  Create the Image Viewer 
  Output some JavaScript that does something like 
    document.getElementById('ImageContainer').appendChild(document.getElementById('MyImageViewer')) 
End If 

This did the trick.  However, I just recently stumbled upon the ParseControl method of the Page object.  You can take the user-provided HTML, and create a control from it, and then add that control to an existing control on the page.

Dim UserContent as String 
 
[Load User Content from Database] 
 
Dim Ctrl as Control 
Ctrl = Page.ParseControl(UserContent) 
OutputDiv.Controls.Add(Ctrl) 

Of course, there are issues with this.

When the user is editing the content, they won't be able to see this control since it's not able to be parsed dynamically as it's being edited.

If the user is able to submit server-side code, which this effectively allows them to do, there is a real security concern, and some real precautions will need to be taken to make sure they don't cause problems.

I just stumbled across this and though I would share.,

--- A Little followup ---

I tested a little code that could be used to help lock this down some.  I was thinking that since a server-side control is created from the ParseControl method, that I could examine the control and its children.  You could traverse the control tree created by the ParseControl method and impose restrictions.  For example, I could allow only LiteralControls and my Image Viewer.  If anything else is discovered, I could disallow the input.

No answers yet. Maybe you can help?

Tags
Editor
Asked by
LeBear
Top achievements
Rank 1
Share this question
or