Tuesday, December 11, 2012

AllowHtml Attribute to allow html for your asp.net mvc application

Whenever you are trying to take html input from your asp.net mvc application without using AllowHtml attribute to model field then you will run into following error.

Server Error in '/' Application.

A potentially dangerous Request.Form value was detected from the client (StepValue="...Enumerable intSequence = ...").

Description: ASP.NET has detected data in the request that is potentially dangerous because it might include HTML markup or script. The data might represent an attempt to compromise the security of your application, such as a cross-site scripting attack. If this type of input is appropriate in your application, you can include code in a web page to explicitly allow it. For more information, see http://go.microsoft.com/fwlink/?LinkID=212874.

Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (StepValue="...Enumerable intSequence = ...").

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:


[HttpRequestValidationException (0x80004005): A potentially dangerous Request.Form value was detected from the client (StepValue="...Enumerable intSequence = ...").]
   System.Web.HttpRequest.ValidateString(String value, String collectionKey, RequestValidationSource requestCollection) +9665149
   System.Web.<>c__DisplayClass5.b__3(String key, String value) +18
   System.Web.HttpValueCollection.EnsureKeyValidated(String key) +9664565



Following are two most popular ways to allow html input in asp.net mvc

  • Make use of [AllowHtml] attribute on model field you want to allow html input. (Recommended way)
  • Make use of [ValidateInput(false)] on controller method - non recommended way because it will not validate any input field.


Example

Creating BlogPost wherein we want to allow blog content to take html

Model class 
public class BlogPost {
    public string Title { get; set; }
    public DateTime PostedOn { get; set; }
    public string Tags { get; set; }
    public string Content { get; set; }
}

Controller class
public class BlogPostController : Controller {
        public ActionResult Create() { 
            return View();
        }
        [HttpPost]
        public ActionResult Create(BlogPost model) {
            ViewBag.HtmlContent = model.Content; 
            return View(model);
        }
    }

View Page

@using (Html.BeginForm()) {
   
    @Html.ValidationSummary(true)

    <fieldset>
        <legend>BlogPost</legend>

        <div class="editor-label">
            @Html.LabelFor(model => model.Title)
        </div>
        <div class="editor-field">
            @Html.EditorFor(model => model.Title)
            @Html.ValidationMessageFor(model => model.Title)
        </div>

        <div class="editor-label">
            @Html.LabelFor(model => model.PostedOn)
        </div>
        <div class="editor-field">
            @Html.EditorFor(model => model.PostedOn)
            @Html.ValidationMessageFor(model => model.PostedOn)
        </div>

        <div class="editor-label">
            @Html.LabelFor(model => model.Tags)
        </div>
        <div class="editor-field">
            @Html.EditorFor(model => model.Tags)
            @Html.ValidationMessageFor(model => model.Tags)
        </div>

        <div class="editor-label">
            @Html.LabelFor(model => model.Content)
        </div>
        <div class="editor-field">
            @Html.EditorFor(model => model.Content)
            @Html.ValidationMessageFor(model => model.Content)
        </div>

        <p>
            <input type="submit" value="Create" />
        </p>

        <p>
            Posted Content : @ViewBag.HtmlContent
        </p>

    </fieldset>
}



Method 1: Example with [AllowHtml] Attribute (Recommended)
By allowing html using AllowHtml Attribute we are limiting Html input for particular fields.  In our example we are allowing html to only BlogPost - Content field.

Change your BlogPost Model and add [AllowHtml] attribute as follow:
using System.Web.Mvc;

public class BlogPost {
    public string Title { get; set; }
    public DateTime PostedOn { get; set; }
    public string Tags { get; set; }
  
    [AllowHtml]
    public string Content { get; set; }
}


Method 2: Example with [ValidateInput(false)] (Non-Recommended)
You can also allow html by simply turning off validation on controller method as shown in following example:


public class BlogPostController : Controller {
        public ActionResult Create() { 
            return View();
        }
        [HttpPost]
        [ValidateInput(false)]
        public ActionResult Create(BlogPost model) {
            ViewBag.HtmlContent = model.Content; 
            return View(model);
        }
    }

Problem with using [ValidateInput(false)] is it will turn off validation on whole controller's action method which is very dangerous.

No comments:

Most Recent Post

Community Updates

Subscribe Blog via Email

Enter your email address:



Disclaimers:We have tried hard to provide accurate information, as a user, you agree that you bear sole responsibility for your own decisions to use any programs, documents, source code, tips, articles or any other information provided on this Blog.
Page copy protected against web site content infringement by Copyscape