tags:

views:

70

answers:

2
Q: 

Gracefully handling HTML tags on form submission in asp.net MVC 2

Hi I have a MVC site and will have users inputting text to be displayed on a web page. I am trying to come up with a graceful way of handling any HTML that the user try's to input - as you will probably be aware MVC 2 throws an error for any HTML in the text.

I use ViewModels and decorate my properties with filters from the DataAnotation class to validate my forms.

Anybody now of such a way?

Is there some crazy regex that will NOT match HTML but anything else or some other way?

I am open to any suggestions.

Thanks,

Simon

+2  A: 

Adding the following attribute will stop the runtime from complaining:

[ValidateInput(false)]
public ActionResult SomeEvilAction ()
{
    /* ... */
}

Now it's your task to HTML encode every input you display back on a page:

<%= HttpUtility.HtmlEncode (Model.Text) %>

or 

<%: Model.Text %>
Developer Art  2010-09-23 16:04:00
Thanks - I was looking for something more graceful, that will prompt the user that HTML is not allowed. I want to preserve carriage returns from the text box so I have written a HTML helper to turn these into <br/> and remove the potentially malicous script tags. Bearing in mind that to even get the script tags near the page - they would have to get through MVC's Malicous input check. So for this one instance my text does not get encoded, to run html on the page they would need direct DB access!
Csharper  2010-09-23 16:13:07
It always was your task to HTML-encode every piece of text you display on the page. **ASP.NET's anti-XSS filtering will not adequately protect you.** At best it merely obscures the real problems, at worst it adds fun new bugs to your otherwise secure application. I wouldn't use it for anything, ever, and I'm very disappointed in Microsoft that they seem to think this wrong-headed approach is in any way valid.
bobince  2010-09-23 16:17:41
A: 

I did this exact thing on a site I did the other day.

I am using a WYSIWYG editor that puts in proper html, not bb code.

I disabled validation on the page from the page directive to stop mvc throwing the potentially unsafe code exception and removed all instance of scripts tags using regex.

See Developer Art's post

You may need to add this to your web.config

<httpRuntime requestValidationMode="2.0" />

The regex I used is as follows:

(?<startTag><\s*script[^>]*>)(?<scriptContent>[\s\S]*?)(?<endTag><\s*/script>)

This will give you 3 named groups. startTag scriptContent endTag

So you can do a replace on the script element and show the content of the script, or remove it altogether.

Anything you wish to do really.

jimplode  2010-09-23 17:05:08

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?