Small width layout Medium width layout Maximum width layout Small text Medium text Large text
     Search
Downloads Downloads Directory Directory Forums Forums Forge Forge Blogs Blogs        Marketplace Marketplace Careers Program Careers
Community › Forums Register  |  

Maximum ASP
  Ads  
Active Modules -- Active Forums for DotNetNuke
 


  Sponsors  

Meet Our Sponsors

Portal Webhosting - Hosting For Developers
Red-Gate Software
MaximumASP
SourceGear - Tools for Developers
.: CounterSoft :.
telerik
 


DotNetNuke Forums
 
  Forum  DotNetNuke® Pro...  HTML / Text Mo...  Why html encode by default?
Previous Previous
 
Next Next
New Post 1/24/2006 11:20 AM
User is offline Michael Levy
119 posts
www.wildvoice.com?dnnbenefactor=true
9th Ranked


Why html encode by default? 

Can someone explain to me the design tradeoff that was made to always HTMLEncode text from the DNN text editor control (DotNetNuke.UI.UserControls.TextEditor)?

It seems odd to me because the primary use of the control that I've seen is to host the HTML Editor provider for Rich Text. When a user has entered Rich Text (wth Html formatting that needs to be preserved) there is no need for HtmlEncoding. It appears to me that DNN is simply:

  • On Edit: Html Encoding strings and storing Html Encoded strings in the database
  • On View: Decoding the strings for presentation as un-encoded HTML.

So, it seems that we haven't really gained anything. All we've done is added an extra step every time we want to process a string (like in GetSearchItems).

Perhaps this makes more sense if the TextEditor is limited to Basic Textbox and Text mode. Is that the case?

Is there an advantage to having HtmlEncoded strings in my database that I'm missing?

 

WildVoice.com Michael Levy - Are you ready to be heard? WildVoice.com
 
New Post 8/17/2006 4:04 AM
User is offline Chris Bond
25 posts
10th Ranked


Re: Why html encode by default? 
Surprised someone hasnt answered this here.  Just googled and found the thread.

Anyway solution to your problem is an easy one just came across it myself when developing a custom module that uses dnn:texteditor.  The text was saving to the database encoded.  In my ViewModule where I assign the content to the view class all you do is something like the following:

lblDescription.Text = Server.HtmlDecode(strDescription)

The Server.HtmlDecode routinue returns it to how it should be.
 
New Post 8/17/2006 12:13 PM
User is offline John Valentine
129 posts
www.webinnovationsystems.com/
9th Ranked


Re: Why html encode by default? 

That's right Chris. This is a function that is handled in the "context.server" namespace or HttpContext to purists. The reason for storing the text  encoded is reasonably simple. Most people who use the module want to use it like a word editor. Since many users do not know html, it makes sense to to the work for them. If you have a requirement that states otherwise, it might make sense to modify the module (or copy it) to use the Context.Server.HtmlDecode(string) and the Context.Server.HtmlEncode(string) functions to display exactly what is typed into a regular textarea control without any "help" from the .NET framework.

 

 

Cheers!
John Valentine
http://www.webinnovationsystems.com
 
New Post 8/18/2006 7:34 AM
User is offline Michael Levy
119 posts
www.wildvoice.com?dnnbenefactor=true
9th Ranked


Re: Why html encode by default? 

I think you may have misunderstood my original question. I understand why you need to HtmlEncode user entered text before presenting it to users. The question was really I don't udnerstand the design tradeoff that was made in the text Html module. The most common design pattern I've seen for this type of situation it to accept the user entered text, store it in the database unencoded, then simply Html Encode when presenting the data to a web browser. Storing the text in the database in an encoded form actually complicates certain processes becuase you must unencode to do things like text search.

Html encoding is normally the last step before presentation of user entered text. I just wanted to understand the motiviation for the text/html module to store the encoded text in the databse. I assumed it was to provide backwards compatibility with the way text was stored before FTB was added to DNN, or it was considered an extra precaution in case web based utilties were used to query the database directly.

WildVoice.com Michael Levy - Are you ready to be heard? WildVoice.com
 
New Post 8/18/2006 7:41 AM
User is offline Michael Levy
119 posts
www.wildvoice.com?dnnbenefactor=true
9th Ranked


Re: Why html encode by default? 

Just in case anyone stumbles on this thread and want some helpful information, here are a couple of useful links:

 

http://dotnetnuke.com/Community/ForumsDotNetNuke/tabid/795/forumid/8/threadid/11753/scope/posts/Default.aspx is a thread which has some of my rants about lack of HtmlEncoding and XSS prevention in some DNN modules.

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000004.asp is a good intro article from Microsoft on general XSS and HtmlEncoding issues. It is a little naive about the threat, but it is a good introduction.

 

WildVoice.com Michael Levy - Are you ready to be heard? WildVoice.com
 
 Page 1 of 212Next 
Previous Previous
 
Next Next
  Forum  DotNetNuke® Pro...  HTML / Text Mo...  Why html encode by default?
 


Forum Policy

These Discussion Forums are dedicated to the discussion of the DotNetNuke Web Application Framework.

For the benefit of the community and to protect the integrity of the project, please observe the following posting guidelines:

1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DotNetNuke.
2. Discussion or promotion of DotNetNuke product releases under a different brand name are strictly prohibited.
3. No Flaming or Trolling.
4. No Profanity, Racism, or Prejudice.
5. Site Moderators have the final word on approving/removing a thread or post or comment.
6. English language posting only, please.
 


$7.16/mo - Powerful DotNetNuke / DNN Hosting
Powerful DotNetNuke / DNN Hosting on Windows 2008 and 2003 servers, starting at under $8/mo with FREE SQL 2008 on certain plans and FREE SQL 2005 on all plans with FREE Installation and expert support.
www.re-invent.com 		ASP.NET Web Hosting for $3.95
3 Month FREE ASP.NET Hosting! FREE Setup! DNN Support! FREE Domain Name! FREE Components! Host multiple websites on 1 plan! 30 Days Money Back Guarantee!
www.dailyrazor.com 		Cestus Websites
DotNetNuke websites en services in Nederland. Cestus Websites levert websites, projectmanagent, skins, modules, training en gespecialiseerde hosting op basis van het CMS DotNetNuke.
www.dotnetnuke-websites.nl

DotNetNuke Corporation   Terms Of Use  Privacy Statement
DotNetNuke®, DNN®, and the DotNetNuke logo are trademarks of DotNetNuke Corporation
Hosted by MaximumASP