SBX - Search With Button

SBX - Forum Post Title

Portal input HTML into field "Multiple Lines of Text"

Microsoft Dynamics CRM Forum

appmachine123 asked a question on 21 May 2019 10:10 AM

Question Status

Suggested Answer

Hi, I want to allow my Dynamics Portal visitors to fill a form fields content with the CKEDITOR, so that they can use HTML tags (eg lists). When I initialize the CKEDITOR with htmlEncodeOutput: true, HTML-tags are encoded when submitting the form. This leds to the following problem: When I'm fetching the data with fechXML and display it with liquid in my Portal frontend, the HTML-tags are encoded and therefore not interpreted and displayed by the browser. How can I decode the HTML-tags? Is there some kind of liquid filter?

The alternative would be to not encode the HTML-tags. But when I try to save HTML code from a Portals form, the Portal outputs the following error:

ASP.NET has detected data in the request that is potentially dangerous because it might include HTML markup or script. The data might represent an attempt to compromise the security of your application, such as a cross-site scripting attack. If this type of input is appropriate in your application, you can include code in a web page to explicitly allow it. 

Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (ctl00$ctl00$ContentContainer$MainContent$EntityControls$EntityFormControl$EntityFormControl_EntityFormView

Is it possible to deactivate the HTML Request Validation?

Thanks in advance for your help!

Reply
Joseph McGregor Macdonald responded on 21 May 2019 7:07 PM
My Badges
Suggested Answer

Hi appmachine

We have a portal which has HTML entered for a multiline text field. In our implementation the html is encoded when submitted in the portal (using the native JavaScript encodeURIComponent method), then a preoperation plugin decodes the html (using the .NET Uri.UnescapeDataString method). I believe this was implemented to solve the reason you have described

So I would suggest a potential solution to your problem is to implementing a preoperation plugin which decodes the html. There may be other ways to solve it but this solution works well in our portal instance

Reply
Dmytro Rutkovskyi responded on 31 May 2019 6:37 PM
My Badges
Suggested Answer

Hi, to be able to save the form with symbols (deactivate the HTML Request Validation) -  please use Site Settings with name "DisableValidationWebTemplate" and value "true"

If there are no such site setting - please create it.

Liquid doesn't encode the output by default.

Instead it has multiple filters to escape output, like {{ '<p>test</p>' | escape }} or {{ variable |h}}, or {{ variable | xml_escape}}.

If text already escaped in CRM - probably you can use Javascript to un-escape it is easier way.

Reply
Joseph McGregor Macdonald responded on 21 May 2019 7:07 PM
My Badges
Suggested Answer

Hi appmachine

We have a portal which has HTML entered for a multiline text field. In our implementation the html is encoded when submitted in the portal (using the native JavaScript encodeURIComponent method), then a preoperation plugin decodes the html (using the .NET Uri.UnescapeDataString method). I believe this was implemented to solve the reason you have described

So I would suggest a potential solution to your problem is to implementing a preoperation plugin which decodes the html. There may be other ways to solve it but this solution works well in our portal instance

Reply
Dmytro Rutkovskyi responded on 31 May 2019 6:37 PM
My Badges
Suggested Answer

Hi, to be able to save the form with symbols (deactivate the HTML Request Validation) -  please use Site Settings with name "DisableValidationWebTemplate" and value "true"

If there are no such site setting - please create it.

Liquid doesn't encode the output by default.

Instead it has multiple filters to escape output, like {{ '<p>test</p>' | escape }} or {{ variable |h}}, or {{ variable | xml_escape}}.

If text already escaped in CRM - probably you can use Javascript to un-escape it is easier way.

Reply

SBX - Two Col Forum

SBX - Migrated JS