TinyMCE’s fullpage plugin + ASP.NET request validation

Even though some people debate the effectiveness of the request validation that comes built into ASP.NET, you get it for free so it makes sense to use it. So when working with a HTML editor which is going to be posting back “potentially dangerous HTML” you’ll probably want to use an editor which lets you encode its content, like TinyMCE does via its XML encoding. If you’re interested and haven’t used its XML encoding before then you can read more about it here) in order to avoid disabling request validation.

Normally this all works well, however it seems that when you throw TinyMCE’s fullpage plugin into the mix things start to go a little awry. The fullpage plugin lets you do exactly what its name suggests – edit a full page of HTML, including doctype declarations and all the tags you’d expect with a full HTML page versus a snippet of HTML as you’re often dealing with in a typical CMS scenario. As soon as I’ve got the fullpage plugin in the mix then the XML encoding option seems to be ignored.

Here’s some snippets from a couple of quick fiddler debug requests:

 

Firstly, without the fullpage plugin, you can see encoding such as %26lt in affect:

txtTemplateBody=%26lt%3Bp%26gt%3B%5BCreditNoteId%5D%26lt%3B%2Fp%26gt%3B%0D%0A%26lt%3Bp%26gt%3B%26amp%3Bnbsp%3B%5BCustomerInvoiceId%5D%26lt%3B%2Fp%26gt%3B%0D%0A%26lt%3Bp%26gt%3B%5BCreditNoteAmountIncludingVat%5D%26lt%3B%2Fp%26gt%3B%0D%0A%26lt%3Bp%26gt%3B%26amp%3Bnbsp

Next, I add the fullpage plugin back in, and bam:

txtTemplateBody=%3C%21DOCTYPE+html+PUBLIC+%22-%2F%2FW3C%2F%2FDTD+XHTML+1.0+Transitional%2F%2FEN%22+%22http%3A%2F%2Fwww.w3.org%2FTR%2Fxhtml1%2FDTD%2Fxhtml1-transitional.dtd%22%3E%0D%0A%3Chtml%3E%0D%0A%3Chead%3E%0D%0A%3Ctitle%3EUntitled+document%3C%2Ftitle%3E%0D%0A%3C%2Fhead%3E%0D%0A%3Cbody%3E%0D%0A%26lt%3Bp%26gt%3BHello%26lt%3B%2Fp%26gt%3B%0D%0A%3C%2Fbody%3E%0D%0A%3C%2Fhtml%3E

Obviously the HTML is different as the second example, but otherwise the only difference is the addition of the plugin.

Right now, I need a bit more time to do a little more testing to confirm that I’ve not overlooked anything obvious, which is the reason of this post – to harness the power of the Internets! Come forth you .NET TinyMCE gurus, and tell me: am I missing something obvious here, or have I stumbled onto a bug?

Tags: ,

Posted on Thursday, October 14, 2010 10:45 PM |

Like this? Share it!

  • # re: TinyMCE’s fullpage plugin + ASP.NET request validation
    Gravatar
    Commented on 1/15/2011 4:41 AM

    seems to be an encoding issue - try this tool http://meyerweb.com/eric/tools/dencoder/ on your examples above. I'm investigating hacking the fullpage.js source myself to see if I can stop it incorrectly encoding the markup.

  • # re: TinyMCE’s fullpage plugin + ASP.NET request validation
    Gravatar
    Commented on 2/18/2011 8:45 AM

    Hi Jonathan, thanks for that - will check it out.

    If you do end up making any modifications to the fullpage.js file I'd love a copy of them!


    -Ross

Post a comment
Please add 8 and 5 and type the answer here:
Remember me?
Ensure the word in this box says 'orange':