asp.net默认情况下,不允许提交包含html源代码的表单,这在很大程度上防止了跨站(提交)攻击,但是ckeditor/fckeditor之类的富文本编辑器肯定是要生成html源代码的,如何解决这个矛盾?
通常的办法是修改web.config
asp.net2.0/3/3.5时可以这样做:
<pages validateRequest="false"></pages>
asp.net4.0下,这样还不够,必须写成这样:
<pages validateRequest="false"></pages>
<httpRuntime requestValidationMode="2.0"/>
这样虽然解决了问题,但是同时也降低了安全性,如何在不降低asp.net默认安全性的前提下使用ckeditor/fckeditor?
思路:
客户端--表单中增加一个隐藏域,提交时先把ckeditor/fck的内容用url编码后,赋值给该隐藏域,然后清空ckeditor/fck,再提交,这样提交过去的内容就不包含html源代码了。
服务端--接收该隐藏域的值做为ckeditor的内容,同时接收时先url解码
代码:
<%@ Page Language="C#" AutoEventWireup="true" CodeBehind="Default.aspx.cs" Inherits="ckeditor_demo.Default" %> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head runat="server"> <title></title> <script type="text/javascript" src="ckeditor/ckeditor.js"></script> <script type="text/javascript" src="js/sample.js"></script> <link type="text/css" rel="stylesheet" href="css/sample.css" /> </head> <body> <form id="form1" runat="server"> <div id="alerts"> <noscript> <p> <strong>CKEditor需要JavaScript支持才能运行!</strong>如果您的浏览器不支持或禁止运行Javascript,您只能用常规方式在普通文本输入框里编辑html代码 </p> </noscript> </div> <textarea class="ckeditor" cols="80" id="editor1" name="editor1" rows="10"><p>This is some <strong>sample text</strong>. You are using <a href="http://ckeditor.com/">CKEditor</a>.</p></textarea> <input type="hidden" id="_editor1" name="_editor1" value="" /> <br /> <input type="button" value="获取编辑器html内容" onclick="getData()" /> <input type="button" value="设置编辑器html内容" onclick="setData()" /> <input type="button" value="设置焦点" onclick="setFocus()" /> <input type="submit" value=" 提 交 " onclick="return onSubmit(this)" /> <hr/> <asp:Label runat="server" ID="lblMsg"></asp:Label> </form> <script type="text/javascript"> //获取ckeditor内容 function getData() { var editor = CKEDITOR.instances.editor1; alert(editor.getData()); } //设置ckeditor内容 function setData() { var editor = CKEDITOR.instances.editor1; var _content = "<div style='color:red'>红色字体</div>"; editor.setData(CKEDITOR.tools.htmlEncode(_content));//这里调用了ckeditor工具库的htmlEncode方法 } //设置ckeditor的焦点,并高亮背景显示 function setFocus() { var editor = CKEDITOR.instances.editor1; editor.focus(); editor.document.$.body.style.cssText = "background-color:#ff9"; } //点击提交时 function onSubmit(btn) { var editor = CKEDITOR.instances.editor1; var editor1 = document.getElementById("editor1"); if (editor.getData().length == 0) { alert("请输入详细介绍!"); editor.focus(); editor.document.$.body.style.cssText = "background-color:#ff9"; return false; } else { var _editor1 = document.getElementById("_editor1"); _editor1.value = encodeURIComponent(editor.getData()); editor.setData("");//清空ckeditor setTimeout(doSubmit, 200); //延时0.2秒再提交,否则ckeditor会报js出错,原因不明(估计是ckeditor设置内容后,还要执行其它回调函数代码,所以这时马上提交的话,某些代码还没完成,延时等待代码执行完成后,再提交就可以了) btn.disabled = true;//提交按钮设置为不可用,防止重复提交 } return false; } function doSubmit() { document.forms[0].submit(); } </script> </body> </html>