Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

ASP.NET MVC3, Html.TextAreaFor without encoding?

How can I use the Html.TextAreaForwithout encoding it? I know it's a security risk but I have a separate class that sanitizes any text.

Example:

@Html.TextAreaFor(model =>model.PostBodyText, 10, 100, 1)

I'm planning to use it with TinyMCE.

Regards RaVen

UPDATE I'm using the new Razor View Engine.

like image 381
RaVen Avatar asked Nov 22 '10 12:11

RaVen


2 Answers

You will need to roll your own:

<textarea cols="100" id="PostBodyText" name="PostBodyText" rows="10">
    @MvcHtmlString.Create(Model.PostBodyText)
</textarea>

Of course in terms of security this could be very dangerous as your site is now vulnerable to XSS attacks. So the question is why having a separate class that sanitizes all the text when you can simply rely on the HTML helpers to do the job for you?

like image 166
Darin Dimitrov Avatar answered Sep 21 '22 10:09

Darin Dimitrov


As an alternative option you might wanna use ValidateInput as described here. An example in MVC style would be:

[ValidateInput(false)]
public ActionResult Method(){
     return View()
}

[ValidateInput(false)]
[AcceptVerbs(HttpVerbs.Post)]
public ActionResult Method(){
    // your stuff here
    RedirectToAction("index"); // or something 
}

I think that is more the MVC way to go. Now your controller tells you there is a security issue in that controller method. Your view can be any normal view using html helpers etc. Note that this enables all sorts of input, not filtered. It will work with TinyMCE though.

//edit

woops I see you need to add

<httpRuntime requestValidationMode="2.0"/>

to webconfig as well in new versions of MVC. Guess it might not be the way to go.

like image 37
bastijn Avatar answered Sep 20 '22 10:09

bastijn