tags:

views:

483

answers:

1
+1  Q: 

Validation detected dangerous client input - post from TinyMCE in asp.net

I get this error when i post from TinyMCE in an asp.net mvc view

Error: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted

from googling, it says to just add a validateRequest in the Page directive at the top which i did but i STILL get this error. As you can see, below is my code in the view:

<%@ Page validateRequest="false" Title="" Language="C#" MasterPageFile="~/Views/Shared/Site.Master" Inherits="System.Web.Mvc.ViewPage" %>
+3  A: 

Use the decorator [ValidateInput(false)].

You will then want to write a HTMLEncode method to make it safe.

Let me know if you want me to post the one I use.

Added the Encode I use

    public static class StringHelpers
{
    public static string HtmlEncode(this string value)
    {
        if (!string.IsNullOrEmpty(value))
        {
            value = value.Replace("<", "&lt;");
            value = value.Replace(">", "&gt;");
            value = value.Replace("'", "&apos;");
            value = value.Replace(@"""", "&quot;");
        }
        return value;
    }

    public static string HtmlDecode(this string value)
    {
        if (!string.IsNullOrEmpty(value))
        {
            value = value.Replace("&lt;", "<");
            value = value.Replace("&gt;", ">");
            value = value.Replace("&apos;", "'");
            value = value.Replace("&quot;", @"""");
        }

        return value;
    }
}
griegs  2009-08-04 02:25:36
if you can post that would be great
ooo  2009-08-04 02:26:03
thanks.. that worked great. is there anyway to prepoulate the textarea from an existing html page
ooo  2009-08-04 02:35:46
Don't quite understand what you mean [me]. Are you talking about screen scraping here or...
griegs  2009-08-04 02:40:08
Worth noting two things if using VS2010 and ASP.NET MVC2. First of all, you need to put <httpRuntime requestValidationMode="2.0" /> within <system.web> in your web.config file for the [ValidateInput(false)] attribute to work. Secondly, the above encoder is far too naive to be reliable.
Ant  2010-08-16 13:35:01

related questions

Fast SQL Server 2005 script generation
In Exchange (2003) how do I list the forms used in the public folder tree ?
Can Windows' built-in ZIP compression be scripted?
Set up PowerShell Script for Automatic Execution
Automated script to zip IIS logs?
Windows Mobile - What scripting platforms are available?
Best way to extract data from a FileMaker Pro database in a script?
which language you use for "throw away" programs?
Delete all but the most recent X files in bash
In SQL Server, how do I generate a CREATE TABLE statement for a given table?
Batch file to "Script" a Database
Is it OK to drop sql statistics?
How do I generate scripts that will rebuild my MS SQL Server 2005 database WITH data?
Which scripting language to support in an existing codebase?
quoting System.DirectoryServices.ResultPropertyCollection
Automate adding entries to a wiki
Can I copy files to a Network Place from a script or the command line?
How do you use PowerShell?
How to resolve symbolic links in a shell script
showing a message box from a bash script in linux
Date arithmetic in Unix shell scripts
Common Types of Subversion Hooks
MS-SQL: Drop all tables whose names begin with a certain string
What PHP framework would you choose for a new application and why?
Adding Scripting functionality to .NET applications