tags:

views:

226

answers:

3
Q: 

asp.net mvc encode on form post

Hello, I'm using a rich text editor in my asp.net mvc form (nicedit with a textarea) and when I submit the form on post, because it is not html encoded I get the following message: "A potentially dangerous Request.Form value was detected from the client" . How can I html encode the textarea on post ? I don't want to cancel the validation. Is there a way to use the html.encode helper on submit?

Thank you.

+1  A: 

You could decorate the action handling the form post with the ValidateInputAttribute:

[ValidateInput(false)]
[HttpPost]
public ActionResult SomeActionToHandleFormSubmission() 
{
    ...
}
Darin Dimitrov  2010-04-28 07:56:15
thank you for your answer, but i don't want to cancel the validation. I want to encode it before submit. anyway even when i put the attribute it still gives me the server error.
Gidon  2010-04-28 08:08:15
Even when the post is encoded, ASP.NET may fire this exception since it's designed to prevent users from posting dangerous content that you then display back to other users. Since you will almost certainly Decode it before displaying, ASP.NET must validate the decoded content for the protection to be of any value. Bu adding the ValidateInput attribute to the _POST_ action method you tell ASP.NET that you know what you are doing and will take the appropriate measures to ensure that the submitted content is safe.
Paul Alexander  2010-04-29 22:16:19
What are the appropriate measures which I need to take to ensure that the submitted content is safe?
Gidon  2010-05-01 13:52:47
Safe for what? When you are going to render the text entered by the user just pass it through `Html.Encode`.
Darin Dimitrov  2010-05-01 17:46:24
A: 

Refer following links:

http://stackoverflow.com/questions/1054027/asp-net-mvc-rich-text-editor

http://forums.asp.net/t/1262898.aspx

Xulfee  2010-04-28 08:21:14
A: 

Are you using .net 4.0? If so you will also need

<system.web>' 
<httpRuntime requestValidationMode="2.0"/>'

in your config.web file.

Tony Bolding  2010-04-29 22:07:19
This disables validation for the entire site which probably isn't the best practice. @Darin's answer is the correct way to disable validation in an MVC environment.
Paul Alexander  2010-04-29 22:13:35
Paul - trouble is @Darin's answer is incomplete for .net 4
Tony Bolding  2010-05-12 22:19:06

related questions

What JavaScript patterns do you use most?
Javascript events
What style do you use for creating an "class" in JavaScript?
Graphing JavaScript Library
What's the difference in closure style
Getting the text from a drop-down box
How to specify javascript to run when ModalPopupExtender is shown
Length of Javascript Associative Array
How Do I Post and then redirect to an external URL from ASP.Net?
How to set up a CSS switcher in ASP.NET
Wrapping lists into columns
Javascript keyboard events primer? (or rather: help me with my custom dropdown)
Http Auth in a Firefox 3 bookmarklet
Best Debugging Tools for JavaScript/xulrunner Development
How can I turn a string of HTML into a DOM object in a Firefox extension?
Call ASP.NET Function From Javascript?
Javascript troubleshooting tools in IE
MAC addresses in JavaScript
Capturing TAB key in text box
CSS Background Color in Javascript
How can I make the browser see CSS and Javascript changes?
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP .Net Custom Client-Side Validation
What JavaScript library would you choose for a new project and why?
Detecting font in JavaScript