Allow using some html tags in MVC 4

Question

How i can allow client to use html tags in MVC 4? I would like to save records to the database and when it extract in view allow only some HTML tags (< b > < i > < img >) and others tags must be represented as text.

My Controller:

    [ValidateInput(false)]
    [HttpPost]
    public ActionResult Rep(String a)
    {
            var dbreader = new DataBaseReader();
            var text = Request["report_text"];
            dbreader.SendReport(text, uid, secret).ToString();
           ...
    }

My View:

@{
    var dbreader = new DataBaseReader();
    var reports = dbreader.GetReports();
    foreach (var report in reports)
    {

           <div class="report_content">@Html.Raw(report.content)</div>
           ...

    }
}

Answer 1

I found solution of my problem:

            html = Regex.Replace(html, "&lt;b&gt;(.*?)&lt;/&gt;", "<b>$1</b>");
            html = Regex.Replace(html, "&lt;i&gt;(.*?)&lt;/i&gt;", "<i>$1</i>");
            html = Regex.Replace(html, "&lt;img(?:.*?)src=&quot;(.*?)&quot;(?:.*?)/&gt;", "<img src=\"$1\"/>");

Answer 2

You may want to check out BBCode BBCode on Wikipedia. This way you have some control on what is allowed and what's not, and prevent illegal usage.

This would work like this:

1. A user submits something like 'the meeting will now be on [b]monday![/b]'
2. Before saving it to your database you remove all real html tags ('< ... >') to avoid the use of illegal tags or code injection, but leave the pseudo tags as they are.
3. When viewed you convert only the allowed pseudo html tags into real html

Answer 3

If you are trying some property of your view model object to accept Html text, use AllowHtmlAttribute

[AllowHtml]
public string UserComment{ get; set; }

and before binding to the view

model.UserComment=model.UserComment.Replace("<othertagstart/end>",""); //hard

Answer 4

You can replace all < chars to HTML entity:

tags = tags.Replace("<", "&lt;");

Now, replace back only allowed tags:

tags = tags
    .Replace("&lt;b>", "<b>")
    .Replace("&lt;/b>", "</b>")
    .Replace("&lt;i>", "</i>")
    .Replace("&lt;/i>", "</i>")
    .Replace("&lt;img ", "<img ");

And render to page using @Html.Raw(tags)

Answer 5

Turn off validation for report_text (1) and write custom HTML encoder (2):

Step 1:

Request.Unvalidated().Form["report_text"]

More info here. You don't need to turn off validation for entire controller action.

Step 2:

Write a custom html encoder (convert all tags except b, i, img to e.g.: script -> ;ltscript;gt), since you are customizing a default behaviour of request validation and html tag filtering. Consider to safeguard yourself from SQL injection attacks by checking SQL parameters passed to stored procedures/functions etc.