Practical .NET

Accept HTML and Script from Your Web Pages

Accept HTML and Script from Your Web Pages

By default, ASP.NET prevents users from entering HTML and Script into your page's textboxes. You can turn that off if you want (and, potentially, open your site to various hacks), but you'll have to decide how much exposure you want.

You can turn off checking for HTML on a property-by-property basis by decorating properties in your Model object (SampleInput, in my example), with the AllowHtml attribute. This turns off validation for elements generated from the FormattedText property:

Public Class SampleInput
  <AllowHtml>
  Public Property FormattedText As String

Alternatively, you can decorate your Action method with the ValidateInput attribute, passing False, to turn off validation for the whole Action method:

<ValidateInput(False)>
Function Index(cust As SampleInput) As ActionResult

The smarter move is probably to just turn off validation for the properties involved.

Be warned: It doesn't take much to confuse this process. I've discovered that having another element on the page that uses (for example) the Remote attribute defeats both AllowHtml and ValidateInput.

You'll also want to examine the data returned to your Action method to make sure that it only contains HTML that you're willing to accept (probably formatting tags like <em> or <i>) and doesn't contain tags you don't want (for example, <link> or <script<). The safest solution is probably to count all the tags in your input (such as count all the </ or /> strings) and then count the number of "acceptable" tags (the number <em and <i strings). If the two numbers are different, reject the input.

About the Author

Peter Vogel is a system architect and principal in PH&V Information Services. PH&V provides full-stack consulting from UX design through object modeling to database design. Peter tweets about his VSM columns with the hashtag #vogelarticles. His blog posts on user experience design can be found at http://blog.learningtree.com/tag/ui/.

comments powered by Disqus

Featured

  • VS Code 1.127 Further Integrates Advanced Browser-AI Tech

    Microsoft's July 1 Visual Studio Code update continues a recent push to make the editor's integrated browser a more capable development surface -- and a more useful tool for AI agents.

  • Support Vector Regression with SGD Training Using C#

    Support vector regression can predict numeric values effectively, and this article shows how to implement and train a kernel SVR model in C# using stochastic sub-gradient descent.

  • New GitHub Switch Limits Repo Issue Creation to Collaborators Only

    After publicly touting pull request limits as a way to cut maintainer noise, GitHub is taking the same idea further with a new setting that lets repository admins restrict issue creation to collaborators only.

  • Uno Platform Helps Ship First Stable SkiaSharp 4.0 Release for 2D .NET Graphics

    SkiaSharp 4.148.0 is the first stable v4 release, bringing a newer Skia engine, API cleanup, performance work and a Microsoft-Uno co-maintenance model.

Subscribe on YouTube