ASP MVC 4.5 AntiXSS Library + allow HTML content

Question

What's New in ASP.NET 4.5 and Visual Studio 2012 shows a built in AntiXSS Library ,

    <httpRuntime ...
      encoderType="System.Web.Security.AntiXss.AntiXssEncoder,System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />

@Html.TextBoxFor(x => x.Name, new { @class = "testClass", maxlength = "50" })

It's powerfull , you get

 "A potentially dangerous Request.Form value was detected from the client (Name=\"<b> test </b>\").""

for any potentially dangerous detection ,

BUT

What can I do if I want this kind or protection but also allow some HTML content for a wysiwyg html editor? ( forum post for example )

That is the type of error that we common see with Request Validation. Are you positive the issue you're having is with the AntiXss library and not the built in standard Request Validation? It's ironic that the Request Validation section is above the AntiXSS library section in the link you sent. You can also check out http://msdn.microsoft.com/en-us/library/hh882339.aspx for info on Request Validation. — Nick Bork, Jul 30 '13 at 20:18
I think this is the .NET protection kicking in, not the Anti-XSS library. Take a look at http://stackoverflow.com/questions/81991/a-potentially-dangerous-request-form-value-was-detected-from-the-client — Steven V, Jul 30 '13 at 20:18

score 3 · Answer 1 · edited May 23 '17 at 10:31

As @NickBork mentioned in his comment, this kind of errors come from ASP.NET Request Validation and they are not related with AntyXSS library. AntiXSS library does not protect your application from dangerous input. It can help you but you must use it explicitly.

To skip request validation for some property you can use AllowHtmlAttribute:

// model
public class MyModel
{
    [AllowHtml]
    public string HtmlContent { get; set; }
}

// controller
public class HomeController : Controller
{

    [HttpGet]
    public ActionResult Index()
    {
        return View();
    }

    [HttpPost]
    public ActionResult Index(MyModel myModel)
    {
        // use myModel.HtmlContent
        return View(myModel);
    }
}

@* view *@
@model MyModel

<form action="@Url.Action("Index")" method="POST">
    @Html.TextBoxFor(m => m.HtmlContent)
    <button type="submit">Submit</button>
</form>


@if (Model != null)
{
    <div>
    @Html.Raw(Model.HtmlContent)
    </div>
}

ASP MVC 4.5 AntiXSS Library + allow HTML content

1 Answers1