Hi,I am running CS 2008 Professional Edition on Windows Vista/IIS7 and when I try to post anything with the TinyMCE rich text box, I get this exception:
It doesn't like the html in the posted content. TinyMCE's site suggests setting ValidateRequest=false, but I don't want to remove that security.
Any suggestions?
validateRequest="false" is part of the CS2008 default web.config file and should not be removed.
I'd suggest restoring this configuration.
I assume that CS2008 is then doing its own filtering to prevent malicious posting. I see the <MarkUp> section of CommunityServer.config... is this being used to globally filter any user input in place of validateRequest?
My concern is that I am integrating CS2008 with my own application and I do not want to leave my own forms open to attack.
Is there a way that I can process my own forms with the same rules that CS is using?
P4 Healthcare:is this being used to globally filter any user input in place of validateRequest?
Where HTML content is allowed, it is filtered through the HTML scrubber in Community Server (by default). Where HTML content is not allowed, values are encoded for rendering in HTML.
You could either:
1. If your custom app lives side-by-side with Community Server, you could only disable request validation in Community Server
2. If your custom app lives within Community Server, you can use the CommunityServer.Components.HtmlScrubber to remove potentially harmful HTML from inputs and/or HTML encode incoming data.
Community Server lives in a subdirectory of my Web App.
Problem solved: I dropped a small Web.config into my CommunityServer directory with <pages validateRequest="false" />.
Thanks,Graham
Copyright© 2008 Telligent Systems Inc. All rights reserved CommunityServer.com • Telligent.com