shadonar
Reputation: 1194
Clean Text in FCKeditor textbox
I have a legacy web application that I'm needing to migrate to a new Windows Server (to 2019 from 2008r2) and have been running into some security issues. mainly with a rich text style textbox FCKeditor text box. this editor adds html tags and if somebody copies from a Word doc to fill out the field, the hidden Word doc structures (xml and style content) is also brought over and thus the 2019 security throws an error message about the text being potentially hazardous. I came up with a function to clean up the text content and bring it back to a plain text content. however the security still throws an error and never makes it to the function i created.
protected string GetCleanedText(string content)
{
const string tagWhiteSpace = @"(>|$)(\W|\n|\r)+<";
const string stripFormatting = @"<[^>]*(>|$)";
const string lineBreak = @"<(br|BR)\s{0,1}\/{0,1}>";
const string xmlformatting = @"<xml>[\s\S]*?<\/xml>";
const string styleformatting = @"<style>[\s\S]*?<\/style>";
Regex lineBreakRegex = new Regex(lineBreak, RegexOptions.Multiline);
Regex xmlformattingRegex = new Regex(xmlformatting, RegexOptions.Multiline);
Regex stripFormattingRegex = new Regex(stripFormatting, RegexOptions.Multiline);
Regex tagWhiteSpaceRegex = new Regex(tagWhiteSpace, RegexOptions.Multiline);
Regex styleformattingRegex = new Regex(styleformatting, RegexOptions.Multiline);
string text = content;
//xml formatting
text = xmlformattingRegex.Replace(text, string.Empty);
//style formatting
text = styleformattingRegex.Replace(text, string.Empty);
//Decode html specific characters
//text = System.Net.WebUtility.HtmlDecode(text);
//text = System.Net.WebUtility.HtmlDecode(text);
text = System.Web.HttpUtility.HtmlDecode(text);
//Remove tag whitespace/line breaks
text = tagWhiteSpaceRegex.Replace(text, "><");
//Replace <br /> with line breaks
text = lineBreakRegex.Replace(text, Environment.NewLine);
//Strip formatting
text = stripFormattingRegex.Replace(text, string.Empty);
return text;
}
The data on the aspx page is set up with two way binding via Bind(). I've tried replacing it with Eval() and calling theGetCleanedText() function to clean the text content, but the data continues to get wiped due to the FormView1_ItemCreated() function and either leaves the text box empty or doesn't allow the content to be updated. I've also tried to implement stuff in the ItemCreated, ItemUpdating, and FormView1_DataBound() functions and still either get an emtpy text box or one that when Editing the text field doesn't maintain the new text content.
here's the aspx page (I've removed most of the other content to focus on what I'm trying to fix):
<asp:FormView ID="FormView1" runat="server" DataKeyNames="id" DataSourceID="ObjectDataSource1"
OnItemCreated="FormView1_ItemCreated" OnDataBound="FormView1_DataBound" OnItemUpdating="FormView1_ItemUpdating"
OnItemDeleting="FormView1_ItemDeleting" BorderWidth="0px" CssClass="nospace"
Width="100%" OnItemInserting="FormView1_ItemInserting" AllowPaging="True" EmptyDataText="No records found.">
<EditItemTemplate>
<table width="100%" border="0" cellpadding="2">
<tr>
<td>
<b>Business Reason for the Purchase:</b><br />
<FCKeditorV2:FCKeditor ID="purchase_reasonTextBox" runat="server" BasePath="~/fckeditor/"
Height="150px" ToolbarSet="Request" Value='<%# Bind("purchase_reason") %>'>
</FCKeditorV2:FCKeditor>
</td>
<td>
</td>
<td>
<b>Description of Product or Service:</b><br />
<FCKeditorV2:FCKeditor ID="product_descriptionTextBox" runat="server" BasePath="~/fckeditor/"
Height="150px" ToolbarSet="Request" Value='<%# Bind("product_description") %>'>
</FCKeditorV2:FCKeditor>
</td>
</tr>
<tr>
<td>
<asp:LinkButton ID="UpdateButton" runat="server" CausesValidation="True" CommandName="Update"
CssClass="btn" OnClientClick="RemoveDisplayMessage()" TabIndex="40" Text="Update"
ValidationGroup="requestgroup" />
<asp:LinkButton ID="UpdateCancelButton" runat="server" CausesValidation="False"
CommandName="Cancel" CssClass="btn" OnClientClick="RemoveDisplayMessage()" TabIndex="42"
Text="Cancel" />
<asp:ValidationSummary ID="ValidationSummary1" runat="server" HeaderText="Please complete fields:"
ShowMessageBox="True" ShowSummary="False" ValidationGroup="requestgroup" />
</td>
<td align="right">
</td>
<td align="right">
</td>
<td align="right">
</td>
</tr>
</table>
</EditItemTemplate>
<InsertItemTemplate>
<table width="100%" border="0" cellpadding="2">
<tr>
<td>
<b>Business Reason for the Purchase:</b><br />
<FCKeditorV2:FCKeditor ID="purchase_reasonTextBox" runat="server" BasePath="~/fckeditor/"
Height="150px" ToolbarSet="Request" Value='<%# Bind("purchase_reason") %>'>
</FCKeditorV2:FCKeditor>
</td>
<td>
</td>
<td>
<b>Description of Product or Service:</b><br />
<FCKeditorV2:FCKeditor ID="product_descriptionTextBox" runat="server" BasePath="~/fckeditor/"
Height="150px" ToolbarSet="Request" Value='<%# Bind("product_description") %>'>
</FCKeditorV2:FCKeditor>
</td>
</tr>
<tr>
<td>
<asp:LinkButton ID="InsertButton" runat="server" CausesValidation="True" CommandName="Insert"
CssClass="btn" OnClientClick="RemoveDisplayMessage()" TabIndex="42" Text="Insert"
ValidationGroup="requestgroup" />
<asp:LinkButton ID="InsertCancelButton" runat="server" CausesValidation="False"
CommandName="Cancel" CssClass="btn" OnClientClick="RemoveDisplayMessage()" TabIndex="44"
Text="Cancel" />
<asp:ValidationSummary ID="ValidationSummary1" runat="server" HeaderText="Please complete fields:"
ShowMessageBox="True" ShowSummary="False" ValidationGroup="requestgroup" />
</td>
<td align="right">
</td>
<td align="right">
</td>
<td align="right">
</td>
</tr>
</table>
</InsertItemTemplate>
<ItemTemplate>
<table width="100%" border="0" cellpadding="2">
<tr>
<td colspan="2" valign="top">
<b>Business Reason for the Purchase:</b><br />
<asp:Label ID="purchase_reasonLabel" runat="server" Text='<%# Bind("purchase_reason") %>'
BackColor="#EFF2F3" BorderWidth="0" CssClass="textBlock" />
</td>
</tr>
<tr>
<td colspan="2" valign="top">
<b>Description of Product or Service:</b><br />
<asp:Label ID="product_descriptionLabel" runat="server" Text='<%# Bind("product_description") %>'
BackColor="#EFF2F3" BorderWidth="0" CssClass="textBlock" />
</td>
</tr>
<tr>
<td>
<asp:LinkButton ID="EditButton" runat="server" CausesValidation="False" CommandName="Edit"
CssClass="btn" OnClientClick="RemoveDisplayMessage()" Text="Edit" />
<asp:LinkButton ID="DeleteButton" runat="server" CausesValidation="False" CommandName="Delete"
CssClass="btn" OnClientClick="RemoveDisplayMessage(); return confirm('Do you really want to delete this item?');"
Text="Delete" />
<asp:LinkButton ID="NewButton" runat="server" CausesValidation="False" CommandName="New"
CssClass="btn" OnClientClick="RemoveDisplayMessage()" Text="New" />
</td>
<td align="right">
<asp:LinkButton ID="ApproveButton" runat="server" CausesValidation="False" CommandArgument='<%# Eval("id") %>'
CommandName="Approve" CssClass="btn" OnCommand="StatusButton_Command" Text="Approve" />
<asp:LinkButton ID="DenyButton" runat="server" CausesValidation="False" CommandArgument='<%# Eval("id") %>'
CommandName="Deny" CssClass="btn" OnCommand="StatusButton_Command" Text="Deny" />
<asp:LinkButton ID="ReturnButton" runat="server" CausesValidation="False" CommandArgument='<%# Eval("id") %>'
CommandName="more info" CssClass="btn" OnCommand="StatusButton_Command" Text="Require more info" />
</td>
</tr>
</table>
</ItemTemplate>
and here's the C# code behind page:
protected void FormView1_DataBound(object sender, EventArgs e)
{
// databinding for things that weren't set up with Bind()
// does not have any content for the purchase_reasonTextBox or product_descriptionTextBox
}
protected void FormView1_ItemCreated(object sender, EventArgs e)
{
FormViewRow row = FormView1.Row;
if (FormView1.CurrentMode == FormViewMode.Edit || FormView1.CurrentMode == FormViewMode.Insert)
{
//initialize
if (FormView1.CurrentMode == FormViewMode.Insert)
{
// nothing relevant
}
else if (FormView1.CurrentMode == FormViewMode.Edit)
{
//nothing relevant
}
FredCK.FCKeditorV2.FCKeditor purchase_reasonTextBox = (FredCK.FCKeditorV2.FCKeditor)row.FindControl("purchase_reasonTextBox");
if (purchase_reasonTextBox != null)
{
purchase_reasonTextBox.CustomConfigurationsPath = Request.ApplicationPath + "/include/fckconfig.js";
purchase_reasonTextBox.EditorAreaCSS = Request.ApplicationPath + "/App_Themes/FrontTheme/Style.css";
purchase_reasonTextBox.StylesXmlPath = Request.ApplicationPath + "/include/fckstyles.xml";
}
FredCK.FCKeditorV2.FCKeditor product_descriptionTextBox = (FredCK.FCKeditorV2.FCKeditor)row.FindControl("product_descriptionTextBox");
if (product_descriptionTextBox != null)
{
product_descriptionTextBox.CustomConfigurationsPath = Request.ApplicationPath + "/include/fckconfig.js";
product_descriptionTextBox.EditorAreaCSS = Request.ApplicationPath + "/App_Themes/FrontTheme/Style.css";
product_descriptionTextBox.StylesXmlPath = Request.ApplicationPath + "/include/fckstyles.xml";
}
}
}
protected void FormView1_ItemUpdating(object sender, FormViewUpdateEventArgs e)
{
FormViewRow row = FormView1.Row;
if (FormView1.CurrentMode == FormViewMode.Edit)
{
//nothing relevant
}
}
I'm running out of ideas for how to work around this issue. I Have to clean the content, and I'm not allowed to edit the database directly.
here's the last set of changes I tried:
protected void FormView1_DataBound(object sender, EventArgs e)
{
FredCK.FCKeditorV2.FCKeditor purchase_reasonTextBox = (FredCK.FCKeditorV2.FCKeditor)row.FindControl("purchase_reasonTextBox");
if (purchase_reasonTextBox != null)
{
purchase_reasonTextBox.CustomConfigurationsPath = Request.ApplicationPath + "/include/fckconfig.js";
purchase_reasonTextBox.EditorAreaCSS = Request.ApplicationPath + "/App_Themes/FrontTheme/Style.css";
purchase_reasonTextBox.StylesXmlPath = Request.ApplicationPath + "/include/fckstyles.xml";
}
purchase_reasonTextBox.Value = GetCleanedText(rowView["purchase_reason"].ToString());
FredCK.FCKeditorV2.FCKeditor product_descriptionTextBox = (FredCK.FCKeditorV2.FCKeditor)row.FindControl("product_descriptionTextBox");
if (product_descriptionTextBox != null)
{
product_descriptionTextBox.CustomConfigurationsPath = Request.ApplicationPath + "/include/fckconfig.js";
product_descriptionTextBox.EditorAreaCSS = Request.ApplicationPath + "/App_Themes/FrontTheme/Style.css";
product_descriptionTextBox.StylesXmlPath = Request.ApplicationPath + "/include/fckstyles.xml";
}
product_descriptionTextBox.Value = GetCleanedText(rowView["product_description"].ToString());
}
protected void FormView1_ItemUpdating(object sender, FormViewUpdateEventArgs e)
{
FormViewRow row = FormView1.Row;
if (FormView1.CurrentMode == FormViewMode.Edit)
{
FredCK.FCKeditorV2.FCKeditor purchase_reasonTextBox = (FredCK.FCKeditorV2.FCKeditor)row.FindControl("purchase_reasonTextBox");
e.NewValues["purchase_reason"] = purchase_reasonTextBox.Value; //GetCleanedText(purchase_reasonTextBox.Value);
FredCK.FCKeditorV2.FCKeditor product_descriptionTextBox = (FredCK.FCKeditorV2.FCKeditor)row.FindControl("product_descriptionTextBox");
e.NewValues["product_description"] = product_descriptionTextBox.Value; //GetCleanedText(product_descriptionTextBox.Value);
}
}
protected void FormView1_ItemInserting(object sender, FormViewInsertEventArgs e)
{
Response.Write(" -- Item Inserting -- ");
FormViewRow row = FormView1.Row;
if (FormView1.CurrentMode == FormViewMode.Insert)
{
FredCK.FCKeditorV2.FCKeditor purchase_reasonTextBox = (FredCK.FCKeditorV2.FCKeditor)row.FindControl("purchase_reasonTextBox");
e.Values["purchase_reason"] = GetCleanedText(purchase_reasonTextBox.Value);
FredCK.FCKeditorV2.FCKeditor product_descriptionTextBox = (FredCK.FCKeditorV2.FCKeditor)row.FindControl("product_descriptionTextBox");
e.Values["product_description"] = GetCleanedText(product_descriptionTextBox.Value);
}
}
I would appreciate any advice on how to get the text content inside of the text boxes returned to plain text
<FCKeditorV2:FCKeditor ID="purchase_reasonTextBox" runat="server" BasePath="~/fckeditor/" Height="150px" ToolbarSet="Request" Value='<%# Bind("purchase_reason") %>'>
</FCKeditorV2:FCKeditor>
<FCKeditorV2:FCKeditor ID="product_descriptionTextBox" runat="server" BasePath="~/fckeditor/" Height="150px" ToolbarSet="Request" Value='<%# Bind("product_description") %>'>
</FCKeditorV2:FCKeditor>
Upvotes: 0
Views: 123
Answers (1)
Lutti Coelho
Reputation: 2264
As you do not share the error message I'll give you an answer based on a common error that occurs with rich text plugins:
A potentially dangerous Request.Form value was detected from the client
This error occurs because your server do not allow html content in your requests and adding html in the request is exactly what a rich text plugin does. So you need to enable it on your server.
How?
1) Add ValidateRequest="false" on your .aspx file.
<%@ Page Language="C#" ... ValidateRequest="false" %>
2) Set httpRuntime requestValidationMode value to 2.0 on your web.config.
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.5"/>
<httpRuntime targetFramework="4.5" requestValidationMode="2.0"/>
</system.web>
</configuration>
3) This step should be already done on your legacy. But if not, you shoul add a custom validation to avoid script injection on the pages where you will show the HTML inputed by the user.
Steps 1 and 2 are enough to do not get this error anymore, step 3 is "just" a security tip.
Upvotes: 1
Related Questions
- How to clear the text of all textBoxes in the form?
- How to clear all data / string in a TextBox in C#
- Clear Text in RichTextBox in C#
- Do nothing but clear all text in textbox
- Clean GUI Text WPF
- Avoid blank spaces in textbox
- Unable to clear text from a Multi-Line Textbox from code behind
- How to Clear the TextBox Controls in a Panel
- Clear Textboxes
- Adding ASP or Dynamic Content into the FCK textbox