asp.net默认情况下,不允许提交包含html源代码的表单,这在很大程度上防止了跨站(提交)攻击,但是ckeditor/fckeditor之类的富文本编辑器肯定是要生成html源代码的,如何解决这个矛盾?
通常的办法是修改web.config
asp.net2.0/3/3.5时可以这样做:
<pages validateRequest="false"></pages>
asp.net4.0下,这样还不够,必须写成这样:
<pages validateRequest="false"></pages>
<httpRuntime requestValidationMode="2.0"/>
这样虽然解决了问题,但是同时也降低了安全性,如何在不降低asp.net默认安全性的前提下使用ckeditor/fckeditor?
思路:
客户端--表单中增加一个隐藏域,提交时先把ckeditor/fck的内容用url编码后,赋值给该隐藏域,然后清空ckeditor/fck,再提交,这样提交过去的内容就不包含html源代码了。
服务端--接收该隐藏域的值做为ckeditor的内容,同时接收时先url解码
代码:
<%@ Page Language="C#" AutoEventWireup="true" CodeBehind="Default.aspx.cs" Inherits="ckeditor_demo.Default" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
<title></title>
<script type="text/javascript" src="ckeditor/ckeditor.js"></script>
<script type="text/javascript" src="js/sample.js"></script>
<link type="text/css" rel="stylesheet" href="css/sample.css" />
</head>
<body>
<form id="form1" runat="server">
<div id="alerts">
<noscript>
<p>
<strong>CKEditor需要JavaScript支持才能运行!</strong>如果您的浏览器不支持或禁止运行Javascript,您只能用常规方式在普通文本输入框里编辑html代码
</p>
</noscript>
</div>
<textarea class="ckeditor" cols="80" id="editor1" name="editor1" rows="10"><p>This is some <strong>sample text</strong>. You are using <a href="http://ckeditor.com/">CKEditor</a>.</p></textarea>
<input type="hidden" id="_editor1" name="_editor1" value="" />
<br />
<input type="button" value="获取编辑器html内容" onclick="getData()" />
<input type="button" value="设置编辑器html内容" onclick="setData()" />
<input type="button" value="设置焦点" onclick="setFocus()" />
<input type="submit" value=" 提 交 " onclick="return onSubmit(this)" />
<hr/>
<asp:Label runat="server" ID="lblMsg"></asp:Label>
</form>
<script type="text/javascript">
//获取ckeditor内容
function getData() {
var editor = CKEDITOR.instances.editor1;
alert(editor.getData());
}
//设置ckeditor内容
function setData() {
var editor = CKEDITOR.instances.editor1;
var _content = "<div style='color:red'>红色字体</div>";
editor.setData(CKEDITOR.tools.htmlEncode(_content));//这里调用了ckeditor工具库的htmlEncode方法
}
//设置ckeditor的焦点,并高亮背景显示
function setFocus() {
var editor = CKEDITOR.instances.editor1;
editor.focus();
editor.document.$.body.style.cssText = "background-color:#ff9";
}
//点击提交时
function onSubmit(btn) {
var editor = CKEDITOR.instances.editor1;
var editor1 = document.getElementById("editor1");
if (editor.getData().length == 0) {
alert("请输入详细介绍!");
editor.focus();
editor.document.$.body.style.cssText = "background-color:#ff9";
return false;
}
else {
var _editor1 = document.getElementById("_editor1");
_editor1.value = encodeURIComponent(editor.getData());
editor.setData("");//清空ckeditor
setTimeout(doSubmit, 200); //延时0.2秒再提交,否则ckeditor会报js出错,原因不明(估计是ckeditor设置内容后,还要执行其它回调函数代码,所以这时马上提交的话,某些代码还没完成,延时等待代码执行完成后,再提交就可以了)
btn.disabled = true;//提交按钮设置为不可用,防止重复提交
}
return false;
}
function doSubmit() {
document.forms[0].submit();
}
</script>
</body>
</html>
