User Content/HTML on Site Problem

I am building up an Asp.Net Website to allow a group of users using a WYSIWYG HTML editor to edit content of pages.
These users can put content as well as HTML markup which will be displayed in a div tag. (similar to how we post messages here through an editor)

something like this

<div id=“USERCONTENTHERE”>

user content here 
&lt;p&gt; Users paragraph here&lt;/p&gt;
&lt;/ul&gt;
	&lt;li&gt;user enters an unordered list with wrong markup&lt;/li&gt;
&lt;ul&gt;

</div>

The problem is , when user enters wrong markup , forgets to close tags , it messes up the page layout anything that follows.
Is there a way to restrict the mess that user may create only to the users div block, & not have the page layout messed up.

Thanks

I’d say the problem is leaving it up to the user to do that sort of thing in the first place. I don’t know about ASP, but good CMSs leave markup to the developer.

BTW, HTML4 doesn’t require closing tags (not that I’m recommending leaving elements unclosed, though).

</ul>
  <li>user enters an unordered list with wrong markup</li>
<ul> 

I presume that’s an unintentional typo? :wink:

The only way to do that is to validate the markup generated by your WYSIWYG editor, and that is not an easy task. Since a HTML document is really a XML tree i suppose you could write a XML parser and check for errors, but then again accounting for what the user meant to do is the problem.

You could restrict the usage of HTML and, like these forums, replace it with bbcode or some similar solution where you replace custom tags with html when displaying or saving in your db.

</ul>
  <li>user enters an unordered list with wrong markup</li>
<ul> 

I presume that’s an unintentional typo? :wink:

Just saying that the user might enter something wrong like that , or at the worst a closing div tag at the start of the user allowed content, then my main page layout gets messed.

The only way to do that is to validate the markup generated by your WYSIWYG editor

Yeah that’s right, but I am using an open source editor & have no control on the markup it generates & if the user puts their own HTML , i have no idea how to validate, It’d be a very difficult & long time task to write code in asp.net to validate HTML.

May be I could use IFRAME, not sure if that’d be good. I need to look more at how others (Even sitepoint ) do it.

Regardless of you having no control over the markup generated by the WYSIWYG editor, you can still sanitize the data, by checking it before it is saved.

There are PHP classes available that do this, however I’m not really sure if there are any in ASP so you may need to write one.

If you do not do this, then you are opening up your site to malicious users. What if someone entered a script tag and used it to steal cookies from other users?

You mention using an iframe, which would solve the problem of the page layout becoming broken, however it is no substitute for proper validation.

Edit - Just realised I’ve revived an old thread here, apologies.