0

I've got a text area that contains HTML. I expect the content to be escaped when posted to the controller method but I'm finding it is escaped twice. What could possibly cause this? See the example below:

Pulled from request:

<b>test</b>

WebUtility.HtmlDecode 1st time:

<b>test</b>

WebUtility.HtmlDecode 2nd time:

<b>test</b>

I'm no expert when it comes to web development but I've got about 2 years of experience. This is the first time I've seen anything like this. I've attempted adding the following sections to my Web.config with no luck:

<pages validateRequest="false" />
<httpRuntime requestValidationMode="2.0" /


<security>
  <requestFiltering allowDoubleEscaping="false" />
</security>

Please let me know if I can provide more information.

tereško
  • 58,060
  • 25
  • 98
  • 150
alan
  • 6,705
  • 9
  • 40
  • 70
  • Have you seen [Allow user to input HTML in asp.net MVC](http://stackoverflow.com/questions/3621272/allow-user-to-input-html-in-asp-net-mvc)? – Dustin Kingen Aug 29 '13 at 13:09
  • I have, but I have not had luck with those solutions. The string pulled from the request is still twice escaped. – alan Aug 29 '13 at 13:15
  • What does the view/viewmodel/controller look like? – Dustin Kingen Aug 29 '13 at 13:16
  • It's a standard ASP.net view with a kendoEditor, the model is all over the place (web api calls via Jquery) and the controller is a WebAPI controller. I found the solution however. It turns out the kendoEditor was escaping the characters, then ASP.net was doing it's standard escpaing as well. Thanks for the help though! – alan Aug 29 '13 at 13:31

1 Answers1

0

It turns out the problem lay in the textarea itself. In the view it was just a standard textarea, but in Javascript document.Ready was then made to be a kendoEditor. The kendoEditor was encoding the HTML first, then ASP.net was applying its standard encoding as well. Setting the attribute encoded equal to false fixed the issue:

    $("#editor").kendoEditor({
        encoded: false
    });

Update: I found later that setting the encoded attribute to false would introduce another problem. On submit I received a "A potentially dangerous Request.Form value was detected from the client" error when using formatting tools from the built-in KendoEditor toolbar. My solution was to double-decode the posted request:

WebUtility.HtmlDecode(WebUtility.HtmlDecode(Request["value"]));
alan
  • 6,705
  • 9
  • 40
  • 70