Can I add JavaScript to Rich Text Note Field?

Question

I have a Note Field with RichTextMode=FullHtml. We can Set the Value of this field to a string.

string aString = string.Format("<a href={0}>{1}</a>", url, name);
listItem["field"] = aString;

But when I try to add let's say a onclick=alert(this) to the string the that part of the string is not part of the tag.

string javascript = "alert(this)"
string aString = string.Format("<a href={0} onclick={1}>{2}</a>", url, javascript, bla);

The Tag should look like this.

<a href="url" onclick="alert(this)">name</a>
insted of: <a href="url">name</a>

My questions are:

• Is it possible to add Javascript to SharePoint Fields / Notes Field?
• Why do SharePoint "Trim" or disguard onclick or onmousedown when I add Javascript to the string that really should just be a string?

Answer 1

The code that reads in the text input from the form and saves it to the list will be doing a HTMLEncode operation that replaces the html tags.

This occurs 'server side' so you won't be able to change this using JavaScript.

This is because as soon as you are taking input from a user and then rendering it back to your web page you open yourself up to all sorts of nasties such as Cross Site Scripting if you are not filtering out potential bad stuff (the very reason why the HtmlEncode is used) - less of a problem in a typical SharePoint site on an Intranet than a public facing site.