Knockout set initial value of an input field where html is allowed - asp.net-mvc-3

I have two input fields first name and last name.
Application was running really well.
Suddenly someone came in from Mars and input something like this in those input fields
*(~'##~>?<+!""*%$)!
for both first name and last name. Now don't ask me why he did this cause in Mars this is very common. You can try it on this fiddle
http://jsfiddle.net/farrukhsubhani/3RjRF/
This text then went into my database and now when i retrieve it it came back like this
*(~'##~>?<+!""*%$)
which is ok for me as its html and I can place it back into knockout and it gets populated as html as you can see in fiddle above. However this Mars guy then thought that on Earth this is not a nice name to be with so he tried to edit field.
The above fiddle is kind of that edit page which shows him old value at bottom and two fields at top. He does not know html so he thought we have changed his name in input fields however I need to know
When passing text to knockout to give initial value to an input field is it possible to tell it that consider this text as html so it renders properly in input field
The other way around is to send him to http://www.w3schools.com/tags/ref_entities.asp and tell him about reserved HTML characters. This info has been stored in database (using Entity Framework simple person.fname and person.lname both with attribute AllowHTML) so on my fiddle i have just placed it in two variables and you can see how actual text boxes are different than html below. If i dont bind using Knockout then actual text is shown in these boxes and user can edit <>' signs without any problem.
Anyone with a solution before he leaves our planet. This can change alien life on our planet.
Update
If i go into this field and paste (~'##~>?<+!""*%$)" binding works fine and you can copy this and paste it into fiddle to see that. However its not taking that value from Javascript variable to knockout expects it to be a string and html special characters are not shown properly in input field.
We have done another test without Knockout and this text does get rendered within the field when you try to edit it its fine.
We have updated JSfiddle to work without JQuery and its the same result if you store it in a js variable and give not value to input field
http://jsfiddle.net/farrukhsubhani/3RjRF/3/
If we assign value to input field and just use jQuery to populate fullname then it works
http://jsfiddle.net/farrukhsubhani/3RjRF/4/
This last fiddle is a working example and we want Knockout to do what JQuery is doing.
I think the question then comes to how can this text be stored in javascript variable and placed into input field as html text so special characters appear unescaped. You can try unescape on jsfiddle that did not work for us.

Somewhere along the trip into (or maybe out of) your database, the value is being HTML-escaped. It's not Knockout itself that's doing it. You're going to need to track that location down, but you can't just disable it; you're going to have to replace it with something that sanitizes the result or otherwise you're opening yourself up to cross-site scripting attacks (any <script>s from external sources inserted into the input would have complete access to your data).
Any time you see the html: binding used, warning bells should go off in your head and you should VERY carefully to check to ensure that there's NO possibility of raw, unexamined user input making it into the string that gets displayed.

Ok here is what i did at the end
http://jsfiddle.net/farrukhsubhani/3RjRF/7/
I have done following:
I have added value attribute to input field and placed the input text as it came from server into it. Because I am using TextBoxFor in MVC it did that for me.
Before I apply knockout binding I have picked this value up using $('#kfname') and passed it to the actual binding so it used the value that came from server. Previously it was passed like (#Model.fname,#Model.lname)
I think what this did was allowed jQuery to pick up the value and assign it to binding instead of variable
ko.applyBindings(new ViewModel($("#kfname").val(), $("#klname").val()));
Hopefully this would help someone using knockout.

Related

TinyMCE4 `image_list` external url

I am trying to get TinyMCE 4's image_list to work with a URL returning JSON data as specified in the example here.
I have setup a GET endpoint http://demo.com/media on my server which gives back a JSON response consisting of a list of objects with their title and value attributes set, for example:
[{"title":"demo.jpg","value":"http://demo.com/demo.jpg"}]
I have also specified the option image_list: "http://demo.com/media" when initializing the plugin.
However, when I click the image icon in the toolbar, nothing pops up. All I can see in the network tab is an OPTIONS request with status 200, but then nothing. The GET request I was expecting never happens.
What is the correct way of using image_list in TinyMCE 4? Also, does anyone have a working demo example? I couldn't find anything.
It is somewhat hard to say what the issue is without seeing the exact data your URL is returning. I have created a TinyMCE Fiddle to show (in general) how this is supposed to work:
http://fiddle.tinymce.com/pwgaab
There is a JavaScript variable at the top (pretendFetchedData) that simulates what you would grab from the server (an array of JavaScript objects) and that is referenced via image_list.
If you enter your URL (http://demo.com/media) into a browser window what is returned? Are you sure its an array of JavaScript objects?
I have the identical problem. No matter what I do with the detail of the format (e.g. putting quotes round title and value), nothing happens.
I guess the only way (for me anyway) is to insert the list into the script with php before sending the web page.

CKEDITOR How to find and wrap text in span

I am writing a CKEDITOR plugin that needs to wrap certain pieces of text in a tag. From a webservice, I have an array of items that need to be wrapped. The array is just the plain text strings. Such as:
"[best buy", "horrible migraine", "eat cake"]
I need to find the instances of this text in the editor and wrap them in a span tag.
This is further complicated because the text may be marked up. So the HTML for "best buy" might be
"<strong>best</strong> buy"
but the text returned from the web service is stripped of any markup.
I started trying to use a CKEDITOR.htmlParser() object, and that seems like it is moderately successful. I am able to catch the parser.onText event and check if the text contains anything in my array.
But then I cannot modify that text. Modifications are not persisted back to the source html. So I think using the htmlParser() is a dead-end.
What is the best way to accomplish this task?
Oh, and as a bonus, I also do not want to lose my user's current cursor position when the changes are displayed.
Here is what I wound up doing and it seems to be working so far.
I created a text filter rule that searches through my array of items for any item that is contained (or partially contained) in the text. If so, it wraps the element in my span.
A drawback here is that I wind up with two spans for items with markup. But in my usecase, this is tolerable.
Then I set the results using:
editor.document.getBody().setHtml(results);
Because of this, I also have to strip this markup back out when this text gets read. I do this using an elements filter on editor.dataProcessor.htmlFilter.
This seems to be working well for my (so far limited) test cases.

CKEditor and HTML in Xpages

I am understanding this better but still not there yet.
I have a notes document with a rich text field. I want to edit it in Xpages, so that the user can enter text for an email that an agent will generate. The idea is that the user should be able to enter styled text, hopefully including pasted graphics, and this is saved to the rich text field in such a way that a later agent can copy that field to the body of an email.
On the form I have checked the field "Store contents as HTML and MIME.
In the Xpage I have bound the CKEditor directly to the field (can bind it to a scope variable if necessary).
The code in my agent is as follows:
Set rtItmFrm = emlDoc.getFirstItem("Body")
Set rtItmTo = New NotesRichTextItem(mail,"Body")
Set rtItmTo = rtItmFrm.Copyitemtodocument(mail,"Body")
Any further suggestions on reading up on MIME/CKEditor etc would also be much appreciated.
Bryan
=========================================================================
I just discovered how to modify the CKEditor in Xpages (the Rich Text Control). I have the full menu and one or two more things turned out. However, I am really puzzled by how it treats HTML. I would like to put a template for a nice HTML email (like a newsletter). Anything even a little complicated it munges and the output is messed up.
I read enough online to understand that it is not supposed to be a HTML editor, but I am really having trouble getting the results I want. I would love to put some basic skeleton HTML in there, but everything but the simplest code doesn't work.
Is there anyway to import HTML and it not get messed up using this editor?
as Per and Stephan said, Have a look at ACF filtering that is 'server side' (This is not related to CKEditor itself, but it is related to XPages).
If you have a look at the inputRichText control you will see 2 properties.
htmlFilter
htmlFilterIn
These properties determine how to filter Html on the way in to your data, and also on the way out.
This can be used to strip styling out, and also to prevent dangerous tags like some bad code here etc.
By Default the htmlFilter is set ACF (Active Content Filtering) if you look at the default rules, you will see it strips things like 'margin' out.
see /properties/acf-config.xml-sample
There is a filter called 'identity' which means don't filter anything, however beware if you use this you are not protected from and maliciously entered html.
You should look into defining your own set of rules for your ACF filter, this way you can choose which elements to remove. There is a section in Mastering XPages book about this.
If you still have any trouble, then there are some settings in CKEditor config which also control ACF (totally separate to XPages server side)
I don't think CKE changes the HTML, it is the writing back to a RT field.
Try and bind your RichText Editor to a scoped variable instead of a RichText field. This way you have access to the raw HTML and can use that to generate a MIME email. You might want to have a look at Mustache for mail merge.
Use this article series as starter how to prepare CK editor to make this possible.
And as Per mentioned: check the filtering.

How to encode the kendo editor field?

I am using the kendo editor. If I write any html data like : <img src=x onerror=alert(0) > as an input. The script is getting executed. Means the kendo editor is not secure. How I can encode the value on client side ?
Thanks in advance.
I don't think the problem here is so much that the Kendo editor is insecure, more that the javascript fragment has made it onto the page in the first place.
On initialization the Kendo editor merely copies the input value verbatim and uses it within the iFrame that is contained within the editor, hence the script executes.
Typically you would encode/sanitize user content server-side before it's displayed. It's your website that generates the HTML page so you have full control over the output and need to ensure that a potentially dangerous value doesn't get added to the input's value in the first place.
It might be worth looking into Microsoft's AntiXSS offering.

Reload the page without submitting it back to the server

the problem I have is that I have two sets of values in a drop down list. If type 'A' is selected I want a text box to be populated with a value from the database and be read only. If Type 'B' is selected the box is to be empty and editable.
My original code is written in jsp/struts and I have sort of achieved this by using
onchange="javascript:submit()" to reload the page, but this has the obvious drawback of saving any changes you have made which means you can't really cancel.
I also have other problems with the serverside validation due to this method.
Is there a way of making a jsp page reload on change, that way I could write javascript to change the way the page looks according to the values held in the session. That way the save/submit function will only be called when the page has properly been filled out and the server side validation will work as designed.
I know that this is something that AJAX is good at doing but I am trying to avoid it if possible.
AJAX is your only other option my friend, unless on the original page load you load all the other possible values of the Text Box so you don't need to go back to the database. Well, you could try putting the text box in an IFRAME, but you will probably run into more problems with that approach than just going with AJAX.
Without AJAX what you are asking is going to be difficult. Another option (which is ugly) is to write out all possible values for the second list box into a data structure like an array or dictionary.
Then write some javascript to get the values from the data structure when the user selects from the first list box. The amount of javascript you will have to write to get this done and to do it correctly in a cross browser way will be much more difficult than simply using AJAX.
Not sure why you'd try to avoid AJAX in today's world, the JS libraries out there today make it so simple it's crazy not to try it out.
I just had to replace a page that was written as Vincent pointed out. I assume at the time it made sense for the app, given the relative size of the data 4 years ago. Now that the app has scaled though, the page was taking upwards of 30 seconds to parse the data structures repeatedly (poorly written JS? maybe).
I replaced all the logic with a very simple AJAX call to a servlet that simply returns a JSON response of values for the 2nd drop down based on what was passed to it and the response is basically instant.
Good luck to ya.
One way is to change the form's action so that you submit the form to a different url than the "save" url. This lets you reload certain aspects of the form and return to the form itself, instead of committing the data.
<script>
function reload() {
document.forms[0].action="reloadFormData.jsp";
document.forms[0].submit();
}
</script>
<form action="saveData.jsp" method="post">
<select id="A" name="B" onchange="reload()"><!-- blah --></select>
<select id="B" name="B"><!-- blah B --></select>
<input type="submit">
</form>
If I understand you correctly, that you want either a dropdown (<select>) or a textfield (<input type="text">) depending on a choice (typically a checkbox or radiobuttons) somewhere above in a form?
I that case you may need to handle the two types of input differently on the server anyway, so why not have both the selectbox and textfield in the area of the form with different names and id and one of them hidden (display = none). Then toggle visibility when the choice changes. On the server you pick eiter the selectbox or textarea input (wich will both be present unless you disable (disabled="disabled") them too, wich I think is uneccesary) depending on the choice input.
Of course if you expect that the user usually just need the text-input, and a few times only, needing a massive list; it would be better to use ajax to retrieve the list. But if it's the other way around (you need the text-field only occationally), as I assumed above, it will be faster to have both present in the initial form.
If the drop down only contain easily generateable data, like years from now to houndreds of years back it could even be much faster (requiring less bandwidth on the server) to generate the data client side using a for loop in Javascript.
I know a taglib that can fit to your problem:
AjaxTags.
I use this taglib in my J2EE projects and it is very simple to integrate it into web applications.
This taglib give you several tags designed to execute AJAX request in your jsp files.
Here is the description of each tags: http://ajaxtags.sourceforge.net/usage.html
The tag which will help you is the ajax:select tag. It allows you to populate a select tag which depends on an other field without reloading the entire jsp page.
If you more informations about it, ask me and i'll try to answer quicky.
Along the lines of what Strindhaug said, but if you need dynamic data:
Could you have the backend write JS into the page, and then the JS would change the form as required? The backend could propagate some variables for descriptions and such, and then the JS could change/update the form accordingly. If you aren't familiar with this, libs like jQuery make things like this easier and more cross-browser than rolling-your-own (at least in my experience).
Aside:
If you're not using AJAX because it was hard to code (as I didn't for a while because my first experience was from scratch and wasn't pretty), as others have said, libs like MooTools and such make it really easy now. Also, there is not shame in using AJAX properly. It has a bad rap because people do stupid things with it, but if you can't simply write premade values into the form or you have to do live look ups, this is one of AJAX's proper uses.

Resources