CODEWITHSUNDEEP
javascriptjqueryasp.net-mvcvalidationencoding
Gidon
Gidon

Reputation: 537

asp.net mvc encode on form post

I'm using a rich text editor in my asp.net mvc form (nicedit with a textarea) and when I submit the form on post, because it is not html encoded I get the following message: "A potentially dangerous Request.Form value was detected from the client" . How can I html encode the textarea on post ? I don't want to cancel the validation. Is there a way to use the html.encode helper on submit?

Thank you.

Upvotes: 2

Views: 6030

Answers (3)

Peter Kerr
Peter Kerr

Reputation: 1749

Rather than switching off ValidateInput , as then you are open to vulnerabilities, you could use Javascript to encode the special charaters. This allows you to not throw the error message:

A potentially dangerous Request.Form value was detected from the client

for some simple inputs (such as emails in the format MyName<[email protected]>) but still having the built in MVC function to watch your back for other script injection. Off course if you need the input in the correct format at the server you will have to decode it and be careful if you are outputting it again

If already using jQuery, this can easily be added to all input fields as follows

$("input").on("change", function() {
    $(this).val(htmlEscape($(this).val()));
});

htmlEscape here is my own function to change the special chars. 

function htmlEscape(str) {
    return str
        .replace(/</g, '&lt;')
        .replace(/>/g, '&gt;');
}

Depending on your needs you may want to escape all characters using the built in Javascript function encodeURI or extend the above function such as:

function htmlEscape(str) {
    return str
        .replace(/&/g, '&amp;')
        .replace(/"/g, '&quot;')
        .replace(/'/g, '&#39;')
        .replace(/</g, '&lt;')
        .replace(/>/g, '&gt;');
}

Upvotes: 1

Tony Bolding
Tony Bolding

Reputation: 9

Are you using .net 4.0? If so you will also need

<system.web>' 
<httpRuntime requestValidationMode="2.0"/>'

in your config.web file.

Upvotes: -1

Darin Dimitrov
Darin Dimitrov

Reputation: 1039538

You could decorate the action handling the form post with the ValidateInputAttribute:

[ValidateInput(false)]
[HttpPost]
public ActionResult SomeActionToHandleFormSubmission() 
{
    ...
}

Upvotes: 4

Related Questions