I am developing a mathematics site using Asp.Net MVC 3 + Razor + MathJax.
MathJax is a javascript library to render TeX or LaTeX codes on the web browser.
And TeX or LaTeX codes represent mathematics contents such as an inline math $y=mx+c$ and a displayed math \[y=mx+c\].
Right now my site can accept input, for example, $x<y$. However it cannot accept $x<y>z$ because the framework regards this input is vulnerable to XSS and XSRF.
Shortly speaking, what I should do to accomplish what I want but it does not open security vulnerability.
In ASP.NET MVC 3 you could decorate the property of you model that needs to accept this input with the [AllowHtml] attribute. This way you are not forced to disable input validation for the entire controller action which was previously done by decorating it with the [ValidateInput] attribute. So on your model
public class MathematicsViewModel
{
public int Id { get; set; }
public string Name { get; set; }
[AllowHtml]
public string MathematicFormula { get; set; }
}
and then have your controller action:
[HttpPost]
public ActionResult(MathematicsViewModel model)
{
// model.MathematicFormula will now accept input like $x<y>z$
...
}
And inside your view you could have a textbox named MathematicFormula in which the user could type those characters and you won't get exception.
Also don't forget to set the following in your web.config or this attribute won't have effect in .NET 4.0 (which is what ASP.NET MVC 3 uses):
<httpRuntime requestValidationMode="2.0"/>