Dec 08, 2009, 7:46 AM
[CLOSED] [1.0] ComboBox with HTML encoded data
In the example below I've got two ComboBoxes, each of them linking to a Store - one of which contains some un-encoded HTML characters, and the other contains encoded HTML characters.
In the "Encoded" ComboBox, the drop-down list displays the values correctly because the HTML is encoded, however when a value is selected the encoded characters are inserted in to the ComboBox's text field.
In the "Decoded" ComboBox, the drop-down list displays the values incorrectly (it renders the HTML tags) because the HTML hasn't been decoded, however when a value is selected the correct formatted text is inserted in to the ComboBox's text field.
Is there a simple solution to allow the "Encoded" ComboBox to work as intended (i.e. upon selection of a value, display the correctly formatted text)? I have a lot of ComboBoxes, each of which displays data from the database that has been HTML encoded, so if there is a global change I can make to allow this to work correctly, it would be appreciated.
I know most users aren't likely to add records with HTML characters, but we need to be sure we're not opening our application up to attack by allowing HTML to be rendered from the database.
Many thanks,
Dan
In the "Encoded" ComboBox, the drop-down list displays the values correctly because the HTML is encoded, however when a value is selected the encoded characters are inserted in to the ComboBox's text field.
In the "Decoded" ComboBox, the drop-down list displays the values incorrectly (it renders the HTML tags) because the HTML hasn't been decoded, however when a value is selected the correct formatted text is inserted in to the ComboBox's text field.
Is there a simple solution to allow the "Encoded" ComboBox to work as intended (i.e. upon selection of a value, display the correctly formatted text)? I have a lot of ComboBoxes, each of which displays data from the database that has been HTML encoded, so if there is a global change I can make to allow this to work correctly, it would be appreciated.
I know most users aren't likely to add records with HTML characters, but we need to be sure we're not opening our application up to attack by allowing HTML to be rendered from the database.
Many thanks,
Dan
<%@ Page Language="C#" %>
<%@ OutputCache Location="None" VaryByParam="None"%>
<script runat="server">
protected void Page_Load(object sender, EventArgs e)
{
strEncoded.DataSource = new object[]
{
new object [] { 1, "&lt;br&gt;Test&lt;/br&gt;" },
new object [] { 2, "&lt;b&gt;Test&lt;/b&gt;" }
};
strEncoded.DataBind();
strDecoded.DataSource = new object[]
{
new object [] { 1, "<br>Test</br>" },
new object [] { 2, "Test" }
};
strDecoded.DataBind();
}
</script>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="Head1" runat="server">
</head>
<body>
<form id="Form1" runat="server">
<ext:ResourceManager ID="rsmMain" runat="server">
</ext:ResourceManager>
<ext:Store ID="strEncoded" runat="server">
<Reader>
<ext:ArrayReader IDProperty="DataID">
<Fields>
<ext:RecordField Name="DataID" Type="Int"></ext:RecordField>
<ext:RecordField Name="DataName" Type="String"></ext:RecordField>
</Fields>
</ext:ArrayReader>
</Reader>
</ext:Store>
<ext:Store ID="strDecoded" runat="server">
<Reader>
<ext:ArrayReader IDProperty="DataID">
<Fields>
<ext:RecordField Name="DataID" Type="Int"></ext:RecordField>
<ext:RecordField Name="DataName" Type="String"></ext:RecordField>
</Fields>
</ext:ArrayReader>
</Reader>
</ext:Store>
<ext:FormPanel runat="server" Width="600">
<Items>
<ext:ComboBox Width="400" runat="server" FieldLabel="Encoded" StoreID="strEncoded" ValueField="DataID" DisplayField="DataName"></ext:ComboBox>
<ext:ComboBox Width="400" runat="server" FieldLabel="Decoded" StoreID="strDecoded" ValueField="DataID" DisplayField="DataName"></ext:ComboBox>
</Items>
</ext:FormPanel>
</form>
</body>
</html>