2

I'm using a rich text editor in my asp.net mvc form (nicedit with a textarea) and when I submit the form on post, because it is not html encoded I get the following message: "A potentially dangerous Request.Form value was detected from the client" . How can I html encode the textarea on post ? I don't want to cancel the validation. Is there a way to use the html.encode helper on submit?

Thank you.

Gidon
  • 537
  • 2
  • 6
  • 18

3 Answers3

4

You could decorate the action handling the form post with the ValidateInputAttribute:

[ValidateInput(false)]
[HttpPost]
public ActionResult SomeActionToHandleFormSubmission() 
{
    ...
}
Darin Dimitrov
  • 1,023,142
  • 271
  • 3,287
  • 2,928
  • 1
    thank you for your answer, but i don't want to cancel the validation. I want to encode it before submit. anyway even when i put the attribute it still gives me the server error. – Gidon Apr 28 '10 at 08:08
  • Even when the post is encoded, ASP.NET may fire this exception since it's designed to prevent users from posting dangerous content that you then display back to other users. Since you will almost certainly Decode it before displaying, ASP.NET must validate the decoded content for the protection to be of any value. Bu adding the ValidateInput attribute to the _POST_ action method you tell ASP.NET that you know what you are doing and will take the appropriate measures to ensure that the submitted content is safe. – Paul Alexander Apr 29 '10 at 22:16
  • What are the appropriate measures which I need to take to ensure that the submitted content is safe? – Gidon May 01 '10 at 13:52
  • Safe for what? When you are going to render the text entered by the user just pass it through `Html.Encode`. – Darin Dimitrov May 01 '10 at 17:46
  • 2
    This is where I don't fully agree with the design of ASP.NET MVC. IMO, it is designed to frustrate both users and developers. I think the right way is that MVC should automatically encode the data and not complain. Instead of assuming developers know what to do, MVC should do something to make sure such XSS attack is less likely to happen. Still, I can't say I am satisfied with this answer. There must be a way to encode the form data before saving.... – Antony Jul 07 '11 at 01:11
1

Rather than switching off ValidateInput , as then you are open to vulnerabilities, you could use Javascript to encode the special charaters. This allows you to not throw the error message:

A potentially dangerous Request.Form value was detected from the client

for some simple inputs (such as emails in the format MyName<me@somewhere.com>) but still having the built in MVC function to watch your back for other script injection. Off course if you need the input in the correct format at the server you will have to decode it and be careful if you are outputting it again

If already using jQuery, this can easily be added to all input fields as follows

$("input").on("change", function() {
    $(this).val(htmlEscape($(this).val()));
});

htmlEscape here is my own function to change the special chars. 

function htmlEscape(str) {
    return str
        .replace(/</g, '&lt;')
        .replace(/>/g, '&gt;');
}

Depending on your needs you may want to escape all characters using the built in Javascript function encodeURI or extend the above function such as:

function htmlEscape(str) {
    return str
        .replace(/&/g, '&amp;')
        .replace(/"/g, '&quot;')
        .replace(/'/g, '&#39;')
        .replace(/</g, '&lt;')
        .replace(/>/g, '&gt;');
}
Peter Kerr
  • 1,649
  • 22
  • 33
-1

Are you using .net 4.0? If so you will also need

<system.web>' 
<httpRuntime requestValidationMode="2.0"/>'

in your config.web file.

Tony Bolding
  • 9
  • 3