Rich Text vs XSS

Question

I'm still a newwbie in ASP.Net and don't get how to fix the following problem.

I need rich text to be published on my project. I added NicEdit because it seems to be easy to use.

So, as foreseen, i got an error from the server.

A potentially dangerous Request.Form value was detected from the client(compteRendu="blablbab<br><br>test<br>").

I tryed to fix it by using htmlencoder, but I failed at using it.

What I did :

<script type="text/VB">
    htmlEncode {
        model.compteRendu = HtmlEncode(model.compteRendu)
        }
</script>   

@Using Html.BeginForm(IsPost)
    @Html.ValidationSummary(True)
    @<fieldset>
        <legend>meeting</legend>    
    @Html.HiddenFor(Function(model) model.idmeeting)
    <div class="editor-label">
        @Html.LabelFor(Function(model) model.compteRendu)
    </div>
    <div class="editor-field">
        @Html.TextAreaFor(Function(model) model.compteRendu)
        @Html.ValidationMessageFor(Function(model) model.compteRendu)
    </div>
    <p>
        <input type="submit" value="Save" onclick="htmlEncode"/>
    </p>
</fieldset>
End Using

So, what have I done wrong? I also tryed to do this inside the controller but I didn't find any method which was supposed to encode the Html

    ' POST: /Meeting/Edit/5

    <HttpPost()>
    Function Edit(meeting As meeting) As ActionResult
        meeting.compteRendu = HttpEncode(meeting.compteRendu)
        If ModelState.IsValid Then
        ...

ps : I'm not a native english speaker, sorry if my english sucks.

edit : For the moment, I'm not needing more than something that allows me to replace my "new lines" by
.

So, I've found that I could do iit like that :

@Html.Raw(meeting.compteRendu.Replace(System.Environment.NewLine, "<br />"))

For the moment, it's ok for me. But I'm not sure, maybe I'll need to create text with colors, and so on. So if you've an idea on how I can send validated rich text to my database, I'll be very happy.

This looks like it could answers it http://stackoverflow.com/questions/81991/a-potentially-dangerous-request-form-value-was-detected-from-the-client — Crab Bucket, Mar 08 '12 at 11:25
I already found/read this topic. But I'm not really pleased by those solutions. eg : validateRequest="false" I also tryed to add : but it was not sufficient to validate without errors what I needed. And then I tryed the HtmlEncode that they were talking about, successless... btw, thx for the time sou spend by doing this research — Deblaton Jean-Philippe, Mar 08 '12 at 11:33

score 3 · Accepted Answer · answered Mar 08 '12 at 15:58

You could decorate the compteRendu property on your view model with the <AllowHtml> attribute:

<AllowHtml()>
Public Property compteRendu As String

This will accept any characters in this property. Inside your view you don't need to do any encodings:

@ModelType Meeting

@Using Html.BeginForm(IsPost)
    @Html.ValidationSummary(True)
    @<fieldset>
        <legend>meeting</legend>    
        @Html.HiddenFor(Function(model) model.idmeeting)
        <div class="editor-label">
            @Html.LabelFor(Function(model) model.compteRendu)
        </div>
        <div class="editor-field">
            @Html.TextAreaFor(Function(model) model.compteRendu)
            @Html.ValidationMessageFor(Function(model) model.compteRendu)
        </div>
        <p>
            <input type="submit" value="Save" />
        </p>
</fieldset>
End Using

Neither inside your controller action:

' POST: /Meeting/Edit/5

<HttpPost()>
Function Edit(meeting As meeting) As ActionResult
    If ModelState.IsValid Then
        ...
    End If
    ...
End Function

Thanks a lot, I'm gonna need this further in the project! – Deblaton Jean-Philippe Mar 09 '12 at 08:15 — Deblaton Jean-Philippe, Mar 09 '12 at 08:15

Rich Text vs XSS

1 Answers1