Here is a sample page as source
<form id="form1" runat="server">
start<br /><asp:TextBox ID="txtId1" runat="server" Text="Test_Id1"></asp:TextBox><input type="text" id="txtId2" name="txtId2" value="Test_id2" />
end</form>Here is a sample page as destination
<form id="form1" runat="server" ><asp:TextBox ID="txtId1" runat="server"></asp:TextBox><asp:ToolkitScriptManager ID="ToolkitScriptManager1" runat="Server" /><asp:TextBox ID="txtContent" runat="server" Columns="50" Rows="10" TextMode="MultiLine"></asp:TextBox><asp:HtmlEditorExtender ID="HtmlEditorExtender1" TargetControlID="txtContent" runat="server" DisplaySourceTab="true" /><asp:Button ID="Button1" runat="server" Text="Button" /></form>
and I got code-behind in dest page
void Page_Load(object sender, EventArgs e)
{
Response.Write(Request.Form["txtId2"]);
}Now I run both pages, in web browser (mine is firefox 17.0 and IE8) I selected all content from begin to end in source page, copy it then paste it in HtmlEditorExtender of destination page. In the textbox, it shows 2 textboxes as expected, then I clicked the button to sumbit.
Then in the postback page, it shows Test_id2 as result Response.Write(Request.Form["txtId2"]), although there is no control named as txtId2 in original page, it is from pasted content in HtmlEditor.
and also the textbox txtId1 has the value of Test_id1.
EnableSanitization has no effect on this
I think it could cause security issue, since end user can manipulate the value of any controls in your web page