Using RadEditor to edit content with embedded server-side controls via Page.ParseControl

1 posts, 0 answers
  1. LeBear
    LeBear avatar
    233 posts
    Member since:
    May 2006

    Posted 06 Dec 2008 Link to this post

    This is very interesting.

    I have created a system that allows users to edit site content using the RadEditor.  I recently created an image gallery system, and I wanted to be able to allow users to embed an image viewer in their content, but since the content they enter is simply rendered on the page, I couldn't see a way to do this.

    My solution was to add a little code into the portion of the page that I control.  If the user were to create a control with a specific ID, I would create the image viewer on the server, and then put out some JavaScript that would move the viewer into that control.

    If the user content includes a div with the id "ImageContainer" Then 
      Create the Image Viewer 
      Output some JavaScript that does something like 
    End If 

    This did the trick.  However, I just recently stumbled upon the ParseControl method of the Page object.  You can take the user-provided HTML, and create a control from it, and then add that control to an existing control on the page.

    Dim UserContent as String 
    [Load User Content from Database] 
    Dim Ctrl as Control 
    Ctrl = Page.ParseControl(UserContent) 

    Of course, there are issues with this.

    When the user is editing the content, they won't be able to see this control since it's not able to be parsed dynamically as it's being edited.

    If the user is able to submit server-side code, which this effectively allows them to do, there is a real security concern, and some real precautions will need to be taken to make sure they don't cause problems.

    I just stumbled across this and though I would share.,

    --- A Little followup ---

    I tested a little code that could be used to help lock this down some.  I was thinking that since a server-side control is created from the ParseControl method, that I could examine the control and its children.  You could traverse the control tree created by the ParseControl method and impose restrictions.  For example, I could allow only LiteralControls and my Image Viewer.  If anything else is discovered, I could disallow the input.
Back to Top