Last post Jan 30, 2008 10:29 PM by Vlatiska
Sep 28, 2007 03:18 PM|rudip|LINK
I have a box into which users can type their own content. Trouble is if they use any formatting such as indenting, spacing etc,.... it is all lost when the content is placed and it becomes plain text without formatting. Any ideas how to solve this?
Sep 28, 2007 04:05 PM|DarrellNorton|LINK
Jan 15, 2008 03:39 PM|Vlatiska|LINK
Anyone have another solution ? Because if a user want to make a line break with <br/>, it's the error page that will appear when he will post the Ad. And for better readability, a line break is sometimes necessary.
When i open the classifieds_Ads table and i put a break line <br> in the Description, i see the break line in result when i run the CSK. But it's not possible for a user to write <br> in the description textbox without having the error page after posting
How the user can make a break line for the Description text?
Jan 15, 2008 04:50 PM|ashmetry|LINK
You can look into fckeditor http://www.fckeditor.net/ (free) but if you choose to use a regular textbox then the best and only way i know of is to
-Disable validation to allow submitting html by adding (ValidateRequest="false" EnableEventValidation="false" to the "<%@ Page " tag
-Now it is your responsibilty to call HttpUtility.HtmlEncode(yourTextbox.Text)
before your store the data in the database, (you want to avoid sql injectioin attacks..etc).
(Actually, you should call HttpUtility.HtmlEncode(...) on ANY textbox before storing it's content)
-To display the stored data, call HttpUtility.HtmlDecode
which would convert it back to html.
Jan 15, 2008 05:05 PM|TATWORTH|LINK
If you allow users to enter html text, you should write a test function that:
Jan 15, 2008 10:06 PM|Vlatiska|LINK
Jan 16, 2008 01:42 AM|TATWORTH|LINK
>is there a way to ensure that when a user makes a break line in the description of its announcement it be visible when another user viewing this ad?
An explicit <br/> would need to entered.
Jan 16, 2008 02:07 AM|Vlatiska|LINK
I learn every day. Many thing to understand with asp.net.
I found this http://support.microsoft.com/kb/821343/en-us
Jan 16, 2008 10:12 AM|ashmetry|LINK
Another trick, that might be helpful if you only want to support line breaks then in your multiline textbox DO NOT allow HTML at all...
When displaying the data put <pre> </pre> tags around your content. This will display \r\n in the string as line breaks.
Jan 16, 2008 03:02 PM|Vlatiska|LINK
Jan 23, 2008 11:26 PM|Vlatiska|LINK
I try <pre> </pre> but the output are display different.
I have try another trick.
In PostAd.aspx.cs : string description = Server.HtmlEncode(DescriptionTextBox.Text).Replace("\r\n", "<br />");
In EditAd.aspx.cs after DescriptionTextBox.Attributes.Add("onkeyup", "textCounter(this,500);"); i put : DescriptionTextBox.Text = DescriptionTextBox.Text.Replace("<br />", "\r\n");
And App_Code/BLL/Ads.cs :
using (AdsDataAdapter db = new AdsDataAdapter())
HttpUtility.HtmlEncode(description).Replace("\r\n", "<br />"),
I have a question, because the user of my website are french, some accent are writen in the Description Ads, and with HtmlEncode i lost some space in the database because all accent are transformed by encoding caracters. If i remove the HtmlEncode for the
Description, does anyone can corrupt my database with malicious code?
Jan 24, 2008 12:52 AM|paggy4u|LINK
I suggest you all to check my posts in this " Classified Forum" and you will find a working solution with Source code in Vb.Net
I had the same problem and my prayers were heard by Microsoft Classified Team and they were kind enough to share the code with me.
My thread would be atleast 10 months old, so please spare some time on finding it.
Jan 24, 2008 10:20 AM|ashmetry|LINK
Im not an expert but i know one of the biggest problems is SQL Injection but if you are using Stored Procedures ( & NOT USING DYNAMIC SQL) then you are mostly safe.
I would clean up <script>...</script> tags before saving the data in the DB.
Another thing, i noticed in your code,
You should change
Server.HtmlEncode(DescriptionTextBox.Text).Replace("\r\n", "<br />");
Server.HtmlEncode(DescriptionTextBox.Text.Replace("\r\n", "<br />"));
I wouldn't worry much about space (disk is much cheaper than security) ;)
Hope that helps
Jan 30, 2008 10:07 PM|darkknight187|LINK
For anyone interested, I found the easiest way to achieve the line break is to add to the code behind on the ShowAd.aspx.vb page.
DescriptionLabel.Text = input.Replace(Chr(13),
I added the above to the Protected
Sub AdDetails_ItemDataBound(ByVal sender
ByVal e As RepeaterItemEventArgs) section.
And as easy as that it works, and I don't have to worry about attacks.
Jan 30, 2008 10:29 PM|Vlatiska|LINK
That seem to be a better way. I will try it.