40864

asp.net mvc encode on form post

I'm using a rich text editor in my asp.net mvc form (nicedit with a textarea) and when I submit the form on post, because it is not html encoded I get the following message: "A potentially dangerous Request.Form value was detected from the client" . How can I html encode the textarea on post ? I don't want to cancel the validation. Is there a way to use the html.encode helper on submit?

Thank you.

Answer1:

You could decorate the action handling the form post with the ValidateInputAttribute:

[ValidateInput(false)] [HttpPost] public ActionResult SomeActionToHandleFormSubmission() { ... }

Answer2:

Rather than switching off ValidateInput , as then you are open to vulnerabilities, you could use Javascript to encode the special charaters. This allows you to not throw the error message:

A potentially dangerous Request.Form value was detected from the client

for some simple inputs (such as emails in the format MyName<me@somewhere.com>) but still having the built in MVC function to watch your back for other script injection. Off course if you need the input in the correct format at the server you will have to decode it and be careful if you are outputting it again

If already using jQuery, this can easily be added to all input fields as follows

$("input").on("change", function() { $(this).val(htmlEscape($(this).val())); });

htmlEscape here is my own function to change the special chars.

function htmlEscape(str) { return str .replace(/</g, '&lt;') .replace(/>/g, '&gt;'); }

Depending on your needs you may want to escape all characters using the built in Javascript function encodeURI or extend the above function such as:

function htmlEscape(str) { return str .replace(/&/g, '&amp;') .replace(/"/g, '&quot;') .replace(/'/g, '&#39;') .replace(/</g, '&lt;') .replace(/>/g, '&gt;'); }

Answer3:

Decorating the field with AllowHtml will do the job without omiting the validation logic. This solved the problem in my case without encode/decode.

[System.Web.Mvc.AllowHtml] public string YourField { get; set; }

Answer4:

Are you using .net 4.0? If so you will also need

<system.web>' <httpRuntime requestValidationMode="2.0"/>'

in your config.web file.

Recommend

  • Angular 2 rc 1 canActivate
  • Jquery toggle on window minimize
  • Creating THREE.Line's with different endpoints using THREE.BufferGeometry
  • VerifyError: Error #1079: Native methods are not allowed in loaded code
  • Eclipse Swing WindowBuilder returns error when trying to set border
  • Are channel sends preemption points for goroutine scheduling?
  • VB.NET - RichTextBox - Apply formatting to selected text
  • Tinymce strips attributes on submit
  • Disabling sound of embedded flash object with html
  • Submit a form with jQuery / Javascript without ignoring “required” tag
  • Why does Sencha 2 only work in Webkit browsers?
  • JavaScriptCore External Arrays
  • Programatically open file in visual studio
  • Creating a C++ function that calls other Lua function
  • Why isn't my “Fizz Buzz” test in R working?
  • google maps autocomplete bounces back already cleared text …odd…odd…odd
  • PayPal API Listener Website Payments Standard URI
  • Validate jQuery plugin, field not required
  • Getting error 'Cannot read property 'document' of undefined' while importing exp
  • How to get latest version of a artifact on Bintray using JSONP
  • Row to Column conversion in Talend
  • Hide HTML elements without javascript, only CSS
  • How to synchronize jQuery dialog box to act like alert() of Javascript
  • jQuery Orbit - How to make a Random Slideshow?
  • Angularjs pass function from Controller to Directive (or call controller function from directive) -
  • IE7 and TinyMCE with Plone
  • How to make jdk.nashorn.api.scripting.JSObject visible in plugin [duplicate]
  • How does document.ready work with angular element directives?
  • Zurb Foundation _global.scss meta styles for js?
  • jQuery ready not fired after rails link_to is clicked
  • Bad request using file_get_contents for PUT request in PHP
  • Projection media query: browser support and workarounds?
  • HTML download movie download link
  • How to redirect a user to a different server and include HTTP basic authentication credentials?
  • Updating server-side rendering client-side
  • Can I make an Android app that runs a web view in Chrome 39?
  • How to set the response of a form post action to a iframe source?
  • Setting background image for body element in xhtml (for different monitors and resolutions)
  • LevelDB C iterator
  • Linking SubReports Without LinkChild/LinkMaster