Label html string being read by screen reader - accessibility

I've got some dynamically generated html building a drop down menu using the Dojo library. I need to make my code Accessibility compliant and right now the screenreader looks at the menu item and reads it as plain html:
menu.addChild(new MenuItem({
label: "<a onclick=window.location.href='sampleurl.com'
href="sampleurl.com">Sample Link</a> ...
Excuse the onclick, it's for a different issue, but what I'm getting is basically:
Tab down to first menu item
Screenreader: "Less than a onclick equals window dot location dot href equals sampleurl"... etc
I've tried using aria-hidden, but the screen reader just reads that as text, I'm using voice over on Mac OS, but I need it compliant for JAWS as well. Any tips or advice? Thanks!

label is used for the label (which can be in HTML), not for putting the full link html tag.
See on the following page how to use the Dojo library to generate menu items:
https://dojotoolkit.org/reference-guide/1.10/dijit/Menu.html
Example:
menu.addChild(new MenuItem({
label: "Sample Link",
onclick: function() {window.location.href='sampleurl.com';}}));

This would be easier to debug with a working example along with something stating what screen reader / browser combo you are using. At the bare minimum, show us the HTML output of your script, considering it is writing HTML for the screen reader to parse.
That being said, I suspect the missing / inconsistent quotes. Note that you start a string with double quotes, then go into the onclick attribute with no quotes around, then single quotes around its value, and then use double quotes around the href.
Alternatively, you are writing the entire string into the page and somehow HTML encoding it.
I suggest using a linting tool to check your JS.

Related

Render page breaks in DevExpress RichTextEdit

I want to be able to add and remove page-breaks to a RichEditControl element.
I understand that it's possible to add the page break by pressing Ctrl + Enter, but it's impossible for the user to see the page break and remove it, as it currently looks like it's a simple new line.
I tried to use the DXRichEditFormattingMarkVisibilityOptions to display a separator, thinking it would display the page break, without luck:
<d:RichEditControl ActiveViewType="Simple"
ShowBorder="False" Background="{x:Null}"
AutoSizeMode="Vertical" LayoutUnit="Document"
CommandBarStyle="Empty" BarManager="{TemplateBinding BarManager}">
<d:RichEditControl.FormattingMarkVisibilityOptions>
<d:DXRichEditFormattingMarkVisibilityOptions Separator="Visible"/>
</d:RichEditControl.FormattingMarkVisibilityOptions>
</d:RichEditControl>
Is there any way to render the page break in the RichEditControl and let it be easy to be removed by the user?
To display the Page Break character, you need to execute a command that display all hidden characters (such as paragraphs, spaces and tabs) and force these other characters to be hidden back, letting just the page break being displayed.
var command = new ToggleShowWhitespaceCommand(_richEditControl);
command.Execute();
Then you can apply this to the style of the control or alter directly via code:
<d:RichEditControl.FormattingMarkVisibilityOptions>
<d:DXRichEditFormattingMarkVisibilityOptions HiddenText="Hidden"
ParagraphMark="Hidden" Space="Hidden" TabCharacter="Hidden"/>
</d:RichEditControl.FormattingMarkVisibilityOptions>

How can I change the background colour of a specific range of text within a text field? What type of text field can I use within my Web App?

I have a c#.net web app which has multiple asp:textbox fields. I want to be able to change the background colour or text colour of the text within this boxes but only a specific range so for example the first 200 characters are to be red, the remaining characters should be green.
I am aware you can't control the content of a asp:textbox field but I am using ASPNetSpell to perform inline spell checking on all boxes and this renders the field as a asp:textbox.
Does anyone have any idea how I can achieve this functionality: ability to format partial content within a field and apply a spell checker? I am open to any suggestions.
Any and all help greatly appreciated.
Laura
It looks like the ASPNetSpell textbox is rendered as a div so you should be able to format the text using jQuery. Here is a way you can do this:
$(document).ready(function () {
$("#aspnetspellbutton").bind("click", function(eventData) {
var textfrominputelement = $("#yourinputelementid").text().substr(0, 200);
textfrominputelement.fontcolor("Red");
});
});
Basically, your binding the aspnetspellbutton click event to the jQuery function and then assigning the first 200 characters of text from the aspnetspell textbox and then changing the color of that text to Red.
This is a terse example. Depending on your requirements it could be a little more complicated. Script Junkie is a great resource for jQuery if your new to it.
You need something like a RichTextBox control. Check this out as well, those could be your solution. Good luck!

Do I need to html-encode title attributes (tooltips)?

In my markup I am using HTML title attributes which I set by the Tooltip property of various ASP.NET controls like an asp:Label. The content of those titles come from a database and I use data binding syntax, for instance:
<asp:Label ID="PersonLabel" runat="server"
Text='<%# HttpUtility.HtmlEncode(Eval("PersonShortName")) %>'
ToolTip='<%# HttpUtility.HtmlEncode(Eval("PersonFullName")) %>' />
Now, tooltips seem to be displayed as plain text on Windows and in the browsers I have tested. So the HTML-encoding is not what I really want and I am inclined to remove the encoding.
Can this be dangerous in any way if the database fields may contain script tags for example? My question is basically: Is it always guaranteed that HTML-title attributes are displayed as plain text? Are they always displayed as tooltips at all, or is it possible that some browsers (or OSs) display them in another way and allow and render HTML content in the title attributes?
Edit:
Looking at some of the answers it seems I didn't phrase my question well, so here are some additions:
If I have in the code snippet above a PersonShortName of "PM" in my database and as the PersonFullName a name with non-ASCII characters in it like Umlauts in "Peter Müller" the browser displays in the tooltip Peter Müller when I apply HttpUtility.HtmlEncode like in the code example - which is ugly.
I've also tested a simple HTML fragment like:
<span title="<script>alert('Evil script')</script>" >Hello</span>
The script in the title attribute didn't run in a browser with enabled Javascript (tested with Firefox), instead it was displayed in the tooltip as plain text. Therefore my guess was that title attributes are always rendered as plain text.
But as Felipe Alsacreations answered below there exist "rich tooltip plugins" which may render the title attribute as HTML. So in this case encoding is a good thing. But how can I know that?
Perhaps HttpUtility.HtmlEncode isn't the right solution and I have to filter only HTML tags but not encode simple special characters to make sure that the plain text is displayed correctly and to protect "rich HTML tooltips" at the same time. But it looks like a costly work - only for a simple tooltip.
Always sanitize output to the browser.
If a value like "><script>blabla</script> is inserted as a value for your fields, a user can essentially take over your entire site. It will probably make a mess when it comes to validation and correct code, but the script will still be run.
So to answer your question: No, it is not guaranteed that HTML-title attributes are displayed as plain text if the user knows what he/she is doing.
Beside security reasons:
Title attributes should always be plain text but certain JS plugins misuse them to display 'rich' tooltips (i.e. HTML code with bold text, emphasis, links and so on).
As for browsers and AFAIK they are displayed as plain text and tooltips, never displayed to those who use tabbed navigation (keyboard) and scren readers give to their users (blind and partially sighted people) many options, like reading the longest between link title and its text or always title or never ...
Surprisingly, still, no right answer in 5 years. The answer is: yes, you need to encode the title attribute, but not everything that is encoded in the innerText of the element.
The proper way to do it in asp.net if you do your own markup is:
string markup = string.Format("<div class='myClass' title='{0}'>{1}</div>",
System.Web.HttpUtility.HtmlAttributeEncode(myText),
System.Web.HttpUtility.HtmlEncode(myText));
The above will set both innerText and title of the div to myText, which is customary for elements that may contain long text but are constrained in width (as I believe the question implies).
The ToolTip property of a ASP.NET control will auto encode the value on output/rendering.
This means it is safe to set the tooltip to plain text as the page will sanitize the text on rendering.
Label1.ToolTip = "Some encoded text < Tag >"
Renders HTML output as:
<span title="Some encoded text < Tag >"></span>
If you need to use text that is already encoded, you can set the title attribute instead. The title attribute will not be automatically encoded on rendering:
Label1.Attributes("title") = "Some encoded text < Tag >"
Renders HTML output as:
<span title="Some encoded text < Tag >"></span>
Another point:
Who cares how the title attribute is rendered by a browser, when it is the presence of malicious strings in the source code that could present an issue?
It doesn't matter how it is displayed, the question is: how does it appear in the source code?
(As already stated, if you're pumping strings to the client, do something to sanitize those strings.)
I think there may be some confusion going on with this thread.
Firstly <asp:Label> is an ASP.NET Web Control. The Text and ToolTip attributes are "abstractions" of the inline content and 'title' attributes of an HTML tag respectively.
For these particular two properties Microsoft will perform the HTML Encoding for you automatically so if you set ToolTip="H&S<" then the <span> tag will be rendered as <span title="H&S<"...>. The same goes for the Text property.
NOTE: Not all properties perform automatic encoding (HTML or InnerContent properties for example)
If however you are generating HTML tags directly (Response.Write("<span...") for example) then you MUST http encode the text content and tooltip attributes content if:
Those values originate from a user / external unsanitised source or
If there is a possibility that the content may contain characters that should be escaped (& < > etc.)
Usually this means that it is safe to to:
Hardcoded content with no http characters:
Response.Write("<span title='Book Reference'>The art of zen</span>"); // SAFE
Hardcoded content with http characters that you manualle encode:
Response.Write("<span title='Book & Reference'>The art & zen</span>"); // SAFE
Dynamically sourced content:
Response.Write("<span title='"+sTitle+"'>"+sText+"</span>"); // UNSAFE
Response.Write("<span title='"+HttpUtility.HtmlEncode(sTitle)+"'>" +HttpUtility.HtmlEncode(sText)+"</span>"); // SAFE

How to get value (non html) from ajax html editor

Please help me to get text (non html/ not formatted) from ajax text editor in asp.net i am using vs 2008.
i am using AjaxControlToolkit.HTMLEditor
you can see same kind of at : ajax HtmlEditor
Well, the documentation on the page you linked to only shows that the HTMLEditor has a Content property, which is the html text, not the plain text. However, the editor itself, on the page, allows you to view either the rendered html, or the html code (the markup).
The editor uses an <iframe> to contain the rendered html. If you want to get the plain text (no html tags), you'll have to do it on the clientside. The <iframe> has an id. You could use something like jquery to do this:
var plainText = $("#iframeID body").text();
$("#someHiddenField").val(plainText);
As long as someHiddenField is an <asp:HiddenField> control, it will contain the plain text of the editor when you post back. You just need to make sure you make the above assignment after you're done editing the HTMLEditor's content, but before you actually post back.
UPDATE
I answered another similar question, and my first answer might not actually get the text of the <iframe>. Try this:
var text = $("#iframeID").contents().find("body").text();
$("#ctl00_cpMainContent_Editor1_ctl02_ctl00").contents().find("body")[0].innerHTML

Input Validation When Using a Rich Text Editor

I have an ASP.NET MVC application and I'm using CKEditor for text entry. I have turned off input validation so the HTML created from CKEditor can be passed into the controller action. I am then showing the entered HTML on a web page.
I only have certain buttons on CKEditor enabled, but obviously someone could send whatever text they want down. I want to be able to show the HTML on the page after the user has entered it. How can I validate the input, but still be able to show the few things that are enabled in the editor?
So basically I want to sanitize everything except for a few key things like bold, italics, lists and links. This needs to be done server side.
How about AntiXSS?
See my full answer here from similar question:
I have found that replacing the angel
brackets with encoded angel brackets
solves most problems
You could create a "whitelist" of sorts for the html tags you'd like to allow. You could start by HTML encoding the whole thing. Then, replace a series of "allowed" sequences, such as:
"<strong>" and "</strong>" back to "<strong>" and "</strong>"
"<em>" and "</em>" back to "<em>" and "</em>"
"<li>" and "</li>" back to ... etc. etc.
For things like the A tag, you could resort to a regular expression (since you'd want the href attribute to be allowed too). You would still want to be careful about XSS; someone else already recommended AntiXSS.
Sample Regexp to replace the A tags:
<a href="([^"]+)">
Then replace as
<a href="$1">
Good luck!

Resources