I’ve updated my solution for this issue to be more robust and easier to follow. Please read the latest post instead.

TinyMCE is a great little WYSIWYG JavaScript text editor that we use quite often inside administration pages. It’s lightweight and just works out of the box.

Well, except for the little issue of HTML encoding its output. When you submit an ASP.NET form that contains the TinyMCE text editor, you get this lovely message:

A potentially dangerous Request.Form value was detected from the client (ctl00$ContentBody$TextBoxBodyHtml="<p>Test!</p>").

Which is good, because that’s ASP.NET doing some checking and helping to protect your site from XSS attacks.

The standard solution you see floating around the web is to turn off Validation for the page entirely. This gets more hairy when you’re talking about ASP.NET 4.0 – you end up having to force the entire web application to use the ASP.NET 2.0 validation model.

I’ve never liked this method, and I doubt anyone who has used it in the past has felt great about it either. Validation is there for a reason.

The real solution is to use the built-in output encoding option on the TinyMCE control, and then HtmlDecode the output yourself on the server-side (if you want to).

<tinymce:TextArea id="TextBoxBodyHtml" encoding="xml" runat="server" />
public string BodyHtml
    get { return HttpUtility.HtmlDecode(TextBoxBodyHtml.Value); }
    set { TextBoxBodyHtml.Value = value; }

So, with the encoding option set to XML, TinyMCE posts back the already-encoded HTML chunk, and ASP.NET’s XSS validation doesn’t get tripped. Everyone’s happy!

According to the TinyMCE manual:

This option is set to nothing by default and is therefore disabled.

I’d love it if they changed that around and encoded everything by default.

posted on Thursday, July 22, 2010 3:09 PM | Filed Under [ Development Microsoft ]


Site Sections

Recent Posts


Post Categories

WHS Add-In Tutorial

WHS Blogs

WHS Development