How to allow HTML formatted user input

Question

4.00/5 (1 vote)

See more:

I need to accept HTML formatted user input in my asp.net application. An example of the input:
<p style="font-family: arial, sans-serif; font-weight: normal; font-size: 10pt; text-align: center"></p>

I am using tinymce[^] to format the controls. Before I send the text to the client, the text is HTML encoded and it shows in the control ok.

Now I want to receive the change from the user. ASP.NET blocks potentially dangerous inputs[^] such as HTML tags for security reasons. If someone tries to post such input then the page throws an exception such as.

System.Web.HttpRequestValidationException (0x80004005): A potentially dangerous Request.Form value was detected from the client

The work around is to turn validation at the page level by adding ValidateRequest="false" attribute to the Page directive. Then HMTL encode all inputs.

But, even though I have added the attribute to the page directive, the page still raises HttpRequestValidationException exception. I checked my web.config and I don't have anything there.

Is there something I missed? How else can I turn off page validation so I can accept HTML formatted user input?

p.s. One thought I have is to encode the input using javascript before the page is posted, but I would rather handle in the code behind, if possible.

Posted 1-Mar-11 3:55am

Yusuf

Add a Solution

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Manas Bhardwaj · Accepted Answer · 2011-03-01T04:08:00

Solution 2

try this:

XML

<system.web>
    <compilation debug="true" targetFramework="4.0" />
    <httpRuntime requestValidationMode="2.0" />
</system.web>

http://www.asp.net/learn/whitepapers/aspnet4/breaking-changes[^]

EDIT: limiting to a page level and not application wide.

XML

<location path="whatever">
    <system.web>
        <httpRuntime requestValidationMode="2.0" />
    </system.web>
</location>

Posted 1-Mar-11 4:08am

Manas Bhardwaj

Updated 1-Mar-11 4:30am

v3

Comments

Yusuf 1-Mar-11 10:26am

Manas,
Good suggestion. I tried it, and it seems to work. On further reading http://msdn.microsoft.com/en-us/library/system.web.configuration.httpruntimesection.requestvalidationmode.aspx it seems to to affect other non page request validation. For now it may be a solution, but I'll see if I can keep the default (4.0) while allowing only that page to have no validation.

Thanks again for your input.

Manas Bhardwaj 1-Mar-11 10:31am

glad this helped you. I suffered through a similar one recently. I updated my answer for making changes only for a single page. have a look.

Yusuf 1-Mar-11 10:43am

You beat me to it. That is exactly what I have in mind when I stated to look a way to set only for that page.
Again good suggestion. Thanks

Monjurul Habib 1-Mar-11 10:29am

nice one + 5:
we can also use this for a particular page,using ValidateRequest="false"