I need to accept HTML formatted user input in my asp.net application. An example of the input:
<p style="font-family: arial, sans-serif; font-weight: normal; font-size: 10pt; text-align: center"></p>
I am using
tinymce[
^] to format the controls. Before I send the text to the client, the text is HTML encoded and it shows in the control ok.
Now I want to receive the change from the user. ASP.NET blocks
potentially dangerous inputs[
^] such as HTML tags for security reasons. If someone tries to post such input then the page throws an exception such as.
System.Web.HttpRequestValidationException (0x80004005): A potentially dangerous Request.Form value was detected from the client
The work around is to turn validation at the page level by adding
ValidateRequest="false"
attribute to the Page directive. Then HMTL encode all inputs.
But, even though I have added the attribute to the page directive, the page still raises
HttpRequestValidationException
exception. I checked my web.config and I don't have anything there.
Is there something I missed? How else can I turn off page validation so I can accept HTML formatted user input?
p.s. One thought I have is to encode the input using javascript before the page is posted, but I would rather handle in the code behind, if possible.