0

I use Summernote to enable users to write an HTML email on my website. The email is submitted if the user submits the Form. Since the Email is a little more complex with some additional data I use a custom ModelBinder which leads me to my problem.

I try to get the Email text like this

argument = request.Form[propertyName] //<-- HttpRequestBase request;

The FreeMessageModel looks like this.

public class FreeMessageModel : BaseMessageModel
{
    private MvcHtmlString m_FreeMessage;
    private String m_Subject;
    private EmployeeModel m_Employee;

    public MvcHtmlString FreeMessage
    {
        get 
        {
            return m_FreeMessage; 
        }
        set { m_FreeMessage = value; }
    }
    public String Subject
    {
        get { return m_Subject; }
        set { m_Subject = value; }
    }
    public EmployeeModel Employee
    {
        get { return m_Employee; }
        set { m_Employee = value; }
    }

    public String Sender 
    {
        get 
        {
            String from = "someadress");
            return from;
        }
    }

    public FreeMessageModel() 
    {
    }

    public string GetMailBody()
    {
        throw new NotImplementedException();
    }
}

The request.Form[propertyName] crashes on FreeMessage with the error Message HttpRequestValidationException. I am aware that the HTML text is interpreted as possible security issue. My question is how can I get the text so that I can decide if its dangerous myself ?

I read this Why do I get HttpRequestValidationException submitting user input with raw html? but this happens after the Modelbinding process.

So the question is How can I get HTML text during ModelBinding without getting a HttpRequestValidationException and without turning off the validation for my whole application

I am using the .Net Framework 4.0

Community
  • 1
  • 1
Bongo
  • 2,933
  • 5
  • 36
  • 67
  • 1
    You can try on your MVC method: `[ValidateInput(false)] ` and in your Model: `[AllowHtml]` – Hackerman Feb 08 '16 at 12:08
  • I get the error in the custom ModelBinder. The ValidateInput(false) seems to have no impact there. But maybe I am missing something else here – Bongo Feb 08 '16 at 12:13
  • But you forget the second part: `[AllowHtml] public MvcHtmlString FreeMessage` – Hackerman Feb 08 '16 at 12:18
  • With a line break between them xD – Hackerman Feb 08 '16 at 12:18
  • Yeah did that, dind't work either. I have the AllowHtml on my property and the ValidateInput in my modelbinder – Bongo Feb 08 '16 at 12:19
  • Put [ValidateInput(False)] in your controller method.... – Hackerman Feb 08 '16 at 12:20
  • http://stackoverflow.com/questions/3621272/allow-user-to-input-html-in-asp-net-mvc-validateinput-or-allowhtml – Hackerman Feb 08 '16 at 12:20
  • I tried that before and now again and it doesn't work. The problem is that the Modelbinder kicks in before the controllers action is called :D. I saw that answer before and it doesn't apply I think. – Bongo Feb 08 '16 at 12:26
  • @Hackerman I found the error... I had due to Version control a Second webconfig and added the into the wrong one. Your answer was completely right ! thx – Bongo Feb 08 '16 at 13:50

0 Answers0