It worked great, but when I tried to retrive the Text-field (with HTML) from the Rich Text Editor, it had a bad format (I needed to use WebUtility.HtmlDecode(var) to get the correct format).
Since I used the WebUtility.HtmlDecode(var) I needed to use Html.Raw() to render the HTML correctly. If I've understood correctly, Html.Raw() can be used to render malicious code. Is that correct?
I noticed that by writing <script>alert("hi");</script> and allowing the Macro to be rendered in the rich text editor and grid, it will execute the script. As far as I can see, the script will not be executed on the published site, but I still wonder if there might be a vulnerability?
Is there any way to get the correct format without using WebUtility.HtmlDecode(var)?
Rich Text Editor in Macro, Malicious Code?
I have gone through this tutorial: http://lindsayjopson.com/using-an-rte-as-a-macro-parameter-in-umbraco-7/ to create a Rich Text Editor to be used within Macros.
It worked great, but when I tried to retrive the Text-field (with HTML) from the Rich Text Editor, it had a bad format (I needed to use
WebUtility.HtmlDecode(var)to get the correct format).Since I used the
WebUtility.HtmlDecode(var)I needed to useHtml.Raw()to render the HTML correctly. If I've understood correctly,Html.Raw()can be used to render malicious code. Is that correct?I noticed that by writing
<script>alert("hi");</script>and allowing the Macro to be rendered in the rich text editor and grid, it will execute the script. As far as I can see, the script will not be executed on the published site, but I still wonder if there might be a vulnerability?Is there any way to get the correct format without using
WebUtility.HtmlDecode(var)?is working on a reply...
This forum is in read-only mode while we transition to the new forum.
You can continue this topic on the new forum by tapping the "Continue discussion" link below.