Practical .NET

Accept HTML and Script from Your Web Pages

Accept HTML and Script from Your Web Pages

By default, ASP.NET prevents users from entering HTML and Script into your page's textboxes. You can turn that off if you want (and, potentially, open your site to various hacks), but you'll have to decide how much exposure you want.

You can turn off checking for HTML on a property-by-property basis by decorating properties in your Model object (SampleInput, in my example), with the AllowHtml attribute. This turns off validation for elements generated from the FormattedText property:

Public Class SampleInput
  <AllowHtml>
  Public Property FormattedText As String

Alternatively, you can decorate your Action method with the ValidateInput attribute, passing False, to turn off validation for the whole Action method:

<ValidateInput(False)>
Function Index(cust As SampleInput) As ActionResult

The smarter move is probably to just turn off validation for the properties involved.

Be warned: It doesn't take much to confuse this process. I've discovered that having another element on the page that uses (for example) the Remote attribute defeats both AllowHtml and ValidateInput.

You'll also want to examine the data returned to your Action method to make sure that it only contains HTML that you're willing to accept (probably formatting tags like <em> or <i>) and doesn't contain tags you don't want (for example, <link> or <script<). The safest solution is probably to count all the tags in your input (such as count all the </ or /> strings) and then count the number of "acceptable" tags (the number <em and <i strings). If the two numbers are different, reject the input.

About the Author

Peter Vogel is a system architect and principal in PH&V Information Services. PH&V provides full-stack consulting from UX design through object modeling to database design. Peter tweets about his VSM columns with the hashtag #vogelarticles. His blog posts on user experience design can be found at http://blog.learningtree.com/tag/ui/.

comments powered by Disqus

Featured

  • What's New in Visual Studio 2019 v16.5 Preview 2

    The second preview of Visual Studio 2019 v16.5 has arrived with improvements across the flagship IDE, including the core experience and different development areas such as C++, Python, web, mobile and so on.

  • C# Shows Strong in Tech Skills Reports

    Microsoft's C# programming language continues to show strong in tech industry skills reports, with the most recent examples coming from a skills testing company and a training company.

  • Color Shards

    Sharing Data and Splitting Components in Blazor

    ASP.NET Core Version 3.1 has at least two major changes that you'll want to take advantage of. Well, Peter thinks you will. Depending on your background, your response to one of them may be a resounding “meh.”

  • Architecture Small Graphic

    Microsoft Ships Preview SDK, Guidance for New Dual-Screen Mobile Era

    Microsoft announced a new SDK and developer guidance for dealing with the new dual-screen mobile era, ushered in by the advent of ultra-portable devices such as the Surface Duo.

  • How to Create a Machine Learning Decision Tree Classifier Using C#

    After earlier explaining how to compute disorder and split data in his exploration of machine learning decision tree classifiers, resident data scientist Dr. James McCaffrey of Microsoft Research now shows how to use the splitting and disorder code to create a working decision tree classifier.

.NET Insight

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.

Upcoming Events