Geek Answers Handbook

ASP.NET MVC3, Html.TextAreaFor without coding?

How can I use Html.TextAreaFor without encoding? I know this is a security risk, but I have a separate class that degrades any text.

Example:

@ Html.TextAreaFor (model => model.PostBodyText, 10, 100, 1)

I plan to use it with TinyMCE.

Relations RAVEN

UPDATE I am using the new Razor View Engine.

+7
encoding asp.net-mvc asp.net-mvc-3
source share
3 answers

You will need to collapse yourself:

<textarea cols="100" id="PostBodyText" name="PostBodyText" rows="10"> @MvcHtmlString.Create(Model.PostBodyText) </textarea>

Of course, from a security point of view, this can be very dangerous, since your site is now vulnerable to XSS attacks. So the question is, why with a separate class that degrades all text when you can just rely on HTML helpers to do the job for you?

+9
source share

Alternatively, you can use ValidateInput as described here . MVC style example:

 [ValidateInput(false)] public ActionResult Method(){ return View() } [ValidateInput(false)] [AcceptVerbs(HttpVerbs.Post)] public ActionResult Method(){ // your stuff here RedirectToAction("index"); // or something }

I think this is more than an MVC way. Now your controller tells you that there is a security issue in this controller method. Your presentation can be any normal view using html helpers, etc. Please note that this allows you to use all types of input, rather than filtering. He will work with TinyMCE, though .

//edit

woops I see you need to add

 <httpRuntime requestValidationMode="2.0"/>

in webconfig, as well as in newer versions of MVC. I suppose this may not be the way out.

+1
source share

Use the [AllowHtml] property for the model property. As I found out in ASP.NET MVC 3, how do I get a model using the Razor syntax in the Create () view? .

+1
source share

More articles:


All Articles