views:

68

answers:

2

Hello,

In a previous question someone point out to me that TinyMCE is a nice and free WYSIWYG editor. Since then, the easiest part has been downloading the resource and have a editor being displayed on an ASP.NET MVC sample page. However, I haven't yet been able to make it work (even after surfing in the net - even in the TinyMCE's website I didn't see anything for first time user).

Well, maybe the main point is to know how the thing's supposed to work. For instance, I've placed a button in the same Html.BeginForm where the TextArea is located. But when I clicked it, there was no post-back happening. So, here's my question:

What the concept behind the editor?

  1. How do I get it post the content? (using a button, a link???)
  2. How do I receive the value posted in my action method? (using a local string variable - (model binding?))
  3. What am I supposed to expect? (text, fragment of HTML, both???)

If someone can provide me with resource on that, that would nice. However, for now, I'd like to know how that's work.

Thanks for helping.

+1  A: 

TinyMCE overlays on top of a textarea.

Use a TinyMCE textarea just like you'd use a regular textarea.

jfar
@jfar: Thanks for answer. for a regular textArea, I'd put both a textarea and a submit button in the form. When I click the button, the form the textarea's value would be submitted to the appropriate action method so that I'll recover it with a local string variable using Model binding. Is that what you mean? But when I click the button, nothing is happening. That why I asked this question.
Richard77
+3  A: 

TinyMCE takes a standard <textarea> element and turns it into a Rich Text Editor using JavaScript. So in your ASP.NET MVC Views you simply create a textarea in the normal way eg

<% Html.TextAreaFor(m => m.Description) %>

When TinyMCE converts this to a textarea it'll still maintain the same id's and name attributes on your textarea element:

<textarea id="Description" name="Description"></textarea>

So model binding should continue to work as normal, it's the name attribute in that code sample above that gets submitted when you post, TinyMCE won't change that, so your POST data will look something like: Description=<p>Hello world</p>&MyButton=Submit (form POST data is simply name/value pairs separated by &ampsersands).

So in your Controller Action:

[HttpPost]
public ActionResult SaveProduct(Product product)
{
    string description = product.Description;

    // Save Product to database (snip)
}

'description' variable will contain the raw HTML markup from TinyMCE. So this should all work as normal, not sure why it isn't. Can you verify that the form is set up and posting as normal, eg. by removing the TinyMCE and just having a standard textarea.

Also, you're not using the <asp:TinyMCE WebForms control by any chance?

Sunday Ironfoot
@Sunday Ironfoot: Thanks. Now we're getting somwhere. Concerning my question, you've answered it i.e. you explained to me what TinyMCE is all about. Unfortunately, I'm getting the following error: "A potentially dangerous Request.Form value was detected from the client (description="<p>..."
Richard77
Put [ValidateInput(false)] to you save action or whole controller.
queen3
I'm using MVC 1. I'm still getting the error after I've added [ValidateInput(false)]
Richard77
@Richard77: TinyMCE submits HTML markup to the server, HTML can be used for XSS (Cross Site Scripting) attacks, for instance if I type <script> window.location = 'http : / /www.some-dodgy-site.com'; </script> that JavaScript code would execute on the client browser. For safety ASP.NET is rejecting the request because of the inclusion of potentially dangerous mark-up. Try adding <pages validateRequest="false"> into the <system.web> section in your web.config. But now you're potentially open to XSS so remember to <%= Html.Encode(myString) %> everything (except your TinyMCE output obviously)
Sunday Ironfoot
@Richard77: I should add because you WON'T be Html.Encode'ing the output from the TinyMCE rich text editor (or you'll see the HTML tags on the screen), you'll still need to deal with the potential for XSS as the result of malicious users modifying the raw HTTP request data bypassing your TinyMCE's client-side checks. This can be !!INSANELY!! difficult problem to solve. If your TinyMCE editor is used for internal use, then you can safely ignore it, otherwise do a search for SO posts covering this issue.
Sunday Ironfoot
@Sunday Ironfoot: This time, I added [ValidateInput(false)] on top of [AcceptVerb(Http.Post)], and (I don't know why) it worked. Thanks for the advice concerning the XSS attacks, but for now, I'm savoring the success.
Richard77