Using a custom model binder for HTML strings

Question

I am attempting to bind a user-inputted HTML string from a POST into a simple string variable on a model object. This works fine if I use the [AllowHtml] attribute. However, I'd like to sanitize the HTML before it makes its way into the model so I have created a ModelBinder:

public class SafeHtmlModelBinder : DefaultModelBinder
{
    public override object BindModel(ControllerContext controllerCtx, ModelBindingContext bindingCtx)
    {
        var bound = base.BindModel(controllerCtx, bindingCtx);
        // TODO - return a safe HTML fragment string
        return bound;
    }
}

And also a CustomModelBinderAttribute:

[AttributeUsage(AttributeTargets.Property, AllowMultiple = false, Inherited = false)]
public class SafeHtmlModelBinderAttribute : CustomModelBinderAttribute
{
    public SafeHtmlModelBinderAttribute()
    {
        binder = new SafeHtmlModelBinder();
    }

    private IModelBinder binder;

    public override IModelBinder GetBinder()
    {
        return binder;
    }
}

I then annotate the model properties which I want to be sanitized with the new attribute:

[Required(AllowEmptyStrings = false, ErrorMessage = "You must fill in your profile summary")]
[AllowHtml, SafeHtmlModelBinder, WordCount(Min = 1, Max = 300)]
public string Summary { get; set; }

This is following the example at http://msdn.microsoft.com/en-us/magazine/hh781022.aspx. Unfortunately, it doesn't seem to work! If I place a breakpoint in my BindModel method it is never hit. Any ideas?

UPDATE

Based on the information from Joel I have changed my IModelBinder to intercept the value when in the SetProperty method and instead apply the SafeHtmlModelBinderAttribute to the class containing string properties that can contain HTML. The code checks that the property is a string and is also allowed to contain HTML before trying to sanitize:

public class SafeHtmlModelBinder : DefaultModelBinder
{
    protected override void SetProperty(
        ControllerContext controllerCtx,
        ModelBindingContext bindingCtx,
        PropertyDescriptor property,
        object value)
    {
        var propertyIsString = property.PropertyType == typeof(string);
        var propertyAllowsHtml = property.Attributes.OfType<AllowHtmlAttribute>().Count() >= 1;

        var input = value as string;
        if (propertyIsString && propertyAllowsHtml && input != null)
        {
            // TODO - sanitize HTML
            value = input;
        }

        base.SetProperty(controllerCtx, bindingCtx, property, value);
    }
}

Answer 1

I've found the following solution derrived from http://aboutcode.net/2011/03/12/mvc-property-binder.html works quite well

First you need a simple attribute that you can apply to properties

    public class PropertyBinderAttribute : Attribute
        {
            public PropertyBinderAttribute(Type binderType)
            {
                BinderType = binderType;
            }

            public Type BinderType { get; private set; }
        }

The following model binder

public class DefaultModelBinder : System.Web.Mvc.DefaultModelBinder
    {
        protected override void BindProperty(ControllerContext controllerContext, ModelBindingContext bindingContext, PropertyDescriptor propertyDescriptor)
        {
            var propertyBinderAttribute = TryFindPropertyBinderAttribute(propertyDescriptor);
            if (propertyBinderAttribute != null)
            {
                var binder = CreateBinder(propertyBinderAttribute);
                binder.BindProperty(controllerContext, bindingContext, propertyDescriptor);
            }
            else // revert to the default behavior.
            {
                base.BindProperty(controllerContext, bindingContext, propertyDescriptor);
            }
        }

        IPropertyBinder CreateBinder(PropertyBinderAttribute propertyBinderAttribute)
        {
            return (IPropertyBinder)DependencyResolver.Current.GetService(propertyBinderAttribute.BinderType);
        }

        PropertyBinderAttribute TryFindPropertyBinderAttribute(PropertyDescriptor propertyDescriptor)
        {
            return propertyDescriptor.Attributes.OfType<PropertyBinderAttribute>().FirstOrDefault();
        }
    }

is then overriden in Global.asax.cs

ModelBinders.Binders.DefaultBinder = new DefaultModelBinder();

then create your model binder

public class InvariantCultureDecimalModelBinder : IModelBinder, IPropertyBinder
    {
        public void BindProperty(ControllerContext controllerContext, ModelBindingContext bindingContext, PropertyDescriptor propertyDescriptor)
        {
            var subPropertyName = CreateSubPropertyName(bindingContext.ModelName, propertyDescriptor.Name);
            if (!bindingContext.ValueProvider.ContainsPrefix(subPropertyName))
                return;

            var attemptedValue = bindingContext.ValueProvider.GetValue(subPropertyName).AttemptedValue;
            if (String.IsNullOrEmpty(attemptedValue))
                return;

            object actualValue = null;
            try
            {
                actualValue = Convert.ToDecimal(attemptedValue, CultureInfo.InvariantCulture);
            }
            catch (FormatException e)
            {
                bindingContext.ModelState[propertyDescriptor.Name].Errors.Add(e);
            }

            propertyDescriptor.SetValue(bindingContext.Model, actualValue);
        }

        public object BindModel(ControllerContext controllerContext, ModelBindingContext bindingContext)
        {
            var valueResult = bindingContext.ValueProvider.GetValue(bindingContext.ModelName);
            var modelState = new ModelState { Value = valueResult };
            object actualValue = null;
            try
            {
                if (!String.IsNullOrEmpty(valueResult.AttemptedValue))
                    actualValue = Convert.ToDecimal(valueResult.AttemptedValue, CultureInfo.InvariantCulture);
            }
            catch (FormatException e)
            {
                modelState.Errors.Add(e);
            }

            bindingContext.ModelState.Add(bindingContext.ModelName, modelState);
            return actualValue;
        }

        //Duplicate code exits in DefaulModelBinder but it is protected internal
        private string CreateSubPropertyName(string prefix, string propertyName)
        {
            if (string.IsNullOrEmpty(prefix))
                return propertyName;
            if (string.IsNullOrEmpty(propertyName))
                return prefix;
            else
                return prefix + "." + propertyName;
        }

    }

which can now cleanly be applied in a standard way on model properties

[PropertyBinder(typeof(InvariantCultureDecimalModelBinder))]
public decimal? value

or using the built-in attribute on parameters

public ActionResult DoSomething([ModelBinder(typeof(InvariantCultureDecimalModelBinder))] decimal value)

Answer 2

I've just been struggling with the same thing. It seems like the GetBinder() method is never called. After digging around I found this post where the accepted answer is that its not possible to put a model binding attribute for a property.

Whether that's true or not I don't know but for now I'm just going to try and achieve what I need to do a different way. One idea would be to create a more generic ModelBinder and check for the presence of your attribute when performing the binding, similar to what's being suggested in this answer.