In the app I am working on, I want to allow the user to upload static HTML pages to replace the default "user profile" MVC View page. Is this possible? That is, the user uploaded html pages will totally run out of MVC, and it can include its own CSS links, etc.
Ideas? Suggestions?
Obviously the .net MVC framework handles static content already for images / css / js etc. It would just be a matter of extending that (routing?) to pass .html files through straight to IIS. That coupled with a dash of rewriting to make prettier urls should do the trick.
However, I would be very, very wary of allowing User Generated Content in the form of raw HTML uploads as you're leaving a very very wide door open. At best, you're going to wind up with people's pages full of spam/porn/adverts. At the worst, you'll be providing a gateway for people to upload cross-site scripting hacks and potentially uploading malicious content to damage your site. The could easily take an existing form on your site, hardcode a load of junk into it, and exectute it from their homepage and break a whole heap of things.
At the very least you should be parsing the uploaded content to reduce it down to just a block of content, and then wrapping that in your own etc. I would personally be much more inclined to just provide users with a nice WYSIWYG editor to edit a single block of content - any editor worth it's salt should provide you with sanitisation as to what elements it includes / excludes. Then store this content fragment in your database / on disc and have the request for a homepage go through a standard MVC controller route and load up that content.
Edit - for you request for examples You should be able to add an Ignore rule to your routing - there will probably already be examples of these already - crack open your Global.asax file - you will want to put in a call to the routes.IgnoreRoute method :
routes.IgnoreRoute("UserPages/{*path}");
Should let IIS handle all requests for yourwebsite.com/UserPages/aUser/homepage.html - you can also play about a bit more with the wild card fragments / constraints for prettier solutions
I suggest you to make your custom ViewEngine that will allow to use static html markup with custom tags in it, that will be replaced by user info.
So, your view engine may accept something like that:
<html>
<body>
<b><user:FirstName /></b>
<b><user:LastName /></b>
</body>
</html>
and produce
<html>
<body>
<b>First Name</b>
<b>Last Name</b>
</body>
</html>
This custom markup you can store in database, for example. You can take a look at custom ViewEngine implementations at MVC Contrib project.
Thanks for the ideas. My original thought was to use a customizable theme but I also realize advanced users almost never like the flexibility of customization.
I will defenitely filter the user html file to block any javascript etc but it would be nice to know if there is a "best practice" on how to do this, or a sample "route" to use to get me started.
Thanks!