2

I am implementing a MVC2 application an need to allow html in an description field. This model has many more fields which need validation.

I just saw that MVC3 has this attribute [AllowHtml] to do this.

Is there a solution for this in MVC2? or will I need to upgrade to MVC3?

Thanks in advance!

Dan Atkinson
  • 11,391
  • 14
  • 81
  • 114
imesh
  • 1,374
  • 1
  • 15
  • 18
  • 1
    If you're just now implementing an MVC2 app, I would advise that you move up to MVC3, given that it is the latest version. – Dan Atkinson Sep 11 '11 at 20:53

2 Answers2

3

The below one is the approach I would follow :

Allow User to input HTML in ASP.NET MVC - ValidateInput or AllowHtml

You need to be careful though. The user input could be evil any time.

Community
  • 1
  • 1
tugberk
  • 57,477
  • 67
  • 243
  • 335
  • Yes exactly ValidateInput(false) can be used for this but I need to validate all other fields than the html allowed field. – imesh Sep 11 '11 at 08:14
  • The way ASP.NET blows up when a user enters "HTML" into a text field is poor. Fields that shouldn't allow HTML should not throw exceptions when users enter html characters - they should be stored just as any other character, and encoded when they are displayed. – Danny Tuppeny Sep 11 '11 at 11:02
  • Imagine if you tried to post "What does the tag do?" in a StackOverflow question title. It shouldn't just blow up, it should (and does) take the input and encode it when it's displayed. – Danny Tuppeny Sep 11 '11 at 11:02
  • Thanks Danny, yes what you are saying is true. In MVC 2 it is bit difficult to handle it. Anyway I wrote a custom action filter to address this issue. – imesh Sep 13 '11 at 04:19
0

There is a problem in suggested answer, when the ValidateInput is set to false all fields in the model are vulnerable to html content. So we basically cannot use that approach. If we want to, we will need to write lot of code validating all the fields.

Jake Scott has suggested a solution for this here. We can write a custom filter and handle this.

Note: This might not be the best solution but with limitations in MVC2 we might need to live with it.

Community
  • 1
  • 1
imesh
  • 1,374
  • 1
  • 15
  • 18