can't pass html tags in parameters in $.post()

Question

I am using a userControl in MVC 4 that has a telerik radeditor. I want to submit the content of the radeditor the the action method but if I user editor.get_html() the code doesn't execute.

the javascript call to the action method is the following:

function Save() {
    var editor = $find("<%=radEdit.ClientID%>");          
    var editorHtmlContent = editor.get_html(); 
    var entityId = document.getElementById('hdEntityId').value;           
    var url = '<%=Url.Action("SaveNote", "staticController")%>';
    $.post(url, { EntityId: entityId, Desc: editorHtmlContent }, function (result) { });
}

any clue?

Answer 1

Posting HTML tags is being considered a security threat (HTML Injection and Cross-site Scripting (XSS)), so it is blocked by default. You have three ways out of this:

1. Encode your HTML on client side before sending to the server. You can find a lot of reading about that on SO, for example here: Fastest method to escape HTML tags as HTML entities?

2. If you have strongly typed model class and want to get the actual HTML, you can use AllowHtmlAttribute:

   public class XMLModel
   {
       public int EntityId { get; set; }
   
       [AllowHtml]
       public string Desc { get; set; }
   }
   

3. Last option is to disable input validation for entire action, which can be done with ValidateInputAttribute:

   [ValidateInput(false)]
   [HttpPost]
   public ActionResult SaveNote(...)
   {
       ...
   }
   

You should choose the option most suitable for you.