Search code examples
vb.netasp.net-mvc-3model-view-controllerhtml-encode

How to allow a user to enter html comments

Using MVC, EF 4.2. I am working on an application that has a comment section. Right now if a user enters a comment that contains HTML e.g.

<b>text</b>

and hits submit i get the message "A ptentially dangerous Request.Form value was detected..."

  1. How do i handle html on the way into the db? Should I just strip the html? Or encode it? I tried server.htmlencode the text but i still had the same error message.

I have read a number of posts on the matter including some here at SO - this one and this one

Ideally, i'd like to be able to allow a limited number of html tags such as em strong, a. Would Anti-XSS, HTML Agility, some kind of BB code, or a markdown style editor still be the recommended way? I know Jeff has a whitelist bit of code - however it is few yrs old.

Solution

  • you can do

    [ValidateInput(false)]
public ActionResult foo()
{
}

    or you can decorate the model property with AllowHtml

       public class Foo
    {
        [AllowHtml]
        public string bar{ get; set; }
    }