CODEWITHSUNDEEP
asp.net-mvc-4antixsslibrary
Zakos
Zakos

Reputation: 1509

ASP MVC 4.5 AntiXSS Library + allow HTML content

What's New in ASP.NET 4.5 and Visual Studio 2012 shows a built in AntiXSS Library , 

    <httpRuntime ...
      encoderType="System.Web.Security.AntiXss.AntiXssEncoder,System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />

@Html.TextBoxFor(x => x.Name, new { @class = "testClass", maxlength = "50" })

It's powerfull , you get 

 "A potentially dangerous Request.Form value was detected from the client (Name=\"<b> test </b>\").""

for any potentially dangerous detection ,

BUT

What can I do if I want this kind or protection but also allow some HTML content for a wysiwyg html editor? ( forum post for example )

Upvotes: 0

Views: 6520

Answers (1)

Alexander Simonov
Alexander Simonov

Reputation: 1584

As @NickBork mentioned in his comment, this kind of errors come from ASP.NET Request Validation and they are not related with AntyXSS library. AntiXSS library does not protect your application from dangerous input. It can help you but you must use it explicitly.

To skip request validation for some property you can use AllowHtmlAttribute:

// model
public class MyModel
{
    [AllowHtml]
    public string HtmlContent { get; set; }
}

// controller
public class HomeController : Controller
{

    [HttpGet]
    public ActionResult Index()
    {
        return View();
    }

    [HttpPost]
    public ActionResult Index(MyModel myModel)
    {
        // use myModel.HtmlContent
        return View(myModel);
    }
}

@* view *@
@model MyModel

<form action="@Url.Action("Index")" method="POST">
    @Html.TextBoxFor(m => m.HtmlContent)
    <button type="submit">Submit</button>
</form>


@if (Model != null)
{
    <div>
    @Html.Raw(Model.HtmlContent)
    </div>
}

Upvotes: 3

Related Questions