Geek Answers Handbook

AllowHtml not working for ASP.Net Mvc 3 site

We are trying to use the [AllowHtml] decoration in one of our ViewModel properties so that we can avoid YSOD:

The potentially dangerous Request.Form value was detected from client (RequestText = "<br>").

when we try to send html-text, for example <br>. We want to use Server.HtmlEncode in the controller action to prevent attacks, but when we decorate the property with [AllowHtml], it has no effect, and if we try to use the [ValidateInput(false)]controller in the action, it has no effect either. We saw stack overflow.site/questions / 1098928 / ... , which stated that in MVC 3 RC2 you should add:

ModelMetadataProviders.Current = new DataAnnotationsModelMetadataProvider (); on global.asax

We tried it too, although we are using the version of MVC 3, not RC2, but it also had no effect. Does anyone know how to fix this?

Model:

namespace UI.Models.ViewModel
{
    public class CustomerRequestSupport
    {
        /// <summary>
        /// Gets or Sets the textual description entered by the Customer for 
        /// the support requested.
        /// </summary>
        [AllowHtml]
        public string RequestText { get; set; }
    }
}

Controller:

    [HttpPost]
    [TabsActionFilter]
    public ActionResult RequestSupport(CustomerRequestSupport collection)
    {
        if (ModelState.IsValid)
        {

            Ticket ticket = new Ticket();

            ticket.Requestor = LoggedInCustomer;

            ticket.Summary = "General Support Ticket";
            ticket.Notes = Server.HtmlEncode(collection.RequestText);

            var errors = _ticketService.SubmitTicket(ticket);

            if (errors.Any())
            {
                ModelState.AddModelError("collection",
                    String.Format("An error has occurred in your Request for Support: " +
                    "{0} Please try again later or call the help desk " +
                    "for immediate assistance.",
                    errors.Aggregate((acc, st) => acc + " " + st)));
            }
            else
            {
                TempData["FlashMessage"] = String.Format("Your request for support has been " +
                        "submitted, the Ticket Number is: {0}.", ticket.TicketNumber);

                return AutoMapView<CustomerDetails>(View("Details", base.LoggedInCustomer));
            }
        }

        //needed for tabs to show
        ViewData.CustomerContactSet(base.LoggedInCustomer);

        return View();

View:

<%@ Page Title="" Language="C#" MasterPageFile="~/Views/Shared/Site.Master"     Inherits="System.Web.Mvc.ViewPage<UI.Models.ViewModel.CustomerRequestSupport>" %>

<asp:Content ID="Content1" ContentPlaceHolderID="TitleContent" runat="server">
 Request Support
</asp:Content>

<asp:Content ID="Content2" ContentPlaceHolderID="PageTitle" runat="server">
 Request Support
</asp:Content>

<asp:Content ID="Content3" ContentPlaceHolderID="MainContent" runat="server">
<% using (Html.BeginForm())
   { %>
    <%= Html.ValidationSummary() %>
    <h2>Enter a description of the support needed</h2>
    <%: Html.TextAreaFor( m => m.RequestText, 4, 90, null) %>
    <input type="submit" value="Submit" />
<% } %>
</asp:Content>
<asp:Content ID="Content4" ContentPlaceHolderID="JavaScriptContent" runat="server">
</asp:Content>
+5
source share
2 answers

In his answer, Darin is definitely on something when he asks

So you have to do something different from what I showed here. What is it?

, - , ASP.NET, FormCollection, [AllowHtml] . ASP.NET MVC OSS, , ELMAH, Glimpse, WebActivator, MvcContrib, , .

, - . , , .

, , , MVC OSS . ASP.NET MVC . , AllowHtml . OSS, . , OSS , .

+2

- . , , , . :

:

public class MyViewModel
{
    [AllowHtml]
    public string RequestText { get; set; }
}

:

public class HomeController: Controller
{
    public ActionResult Index()
    {
        var model = new MyViewModel
        {
            RequestText = "<strong>Hello World</strong>";
        };
        return View(model);
    }

    [HttpPost]
    public ActionResult Index(MyViewModel model)
    {
        return View(model);
    }
}

:

@model MyViewModel
@using (Html.BeginForm())
{
    @Html.TextAreaFor(x => x.RequestText)
    <button type="submit">OK</button>
}

, - , . ?

+7

More articles:


All Articles