I'm using a rich text editor in my asp mvc form (nicedit with a textarea) and when I submit the form on post, because it is not html encoded I get the following message: "A potentially dangerous Request.Form value was detected from the client" . How can I html encode the textarea on post ? I don't want to cancel the validation. Is there a way to use the html.encode helper on submit?

Thank you.

I'm using a rich text editor in my asp mvc form (nicedit with a textarea) and when I submit the form on post, because it is not html encoded I get the following message: "A potentially dangerous Request.Form value was detected from the client" . How can I html encode the textarea on post ? I don't want to cancel the validation. Is there a way to use the html.encode helper on submit?

Thank you.

• javascript
• jquery
• asp-mvc
• validation
• encoding

3 Answers 3

You could decorate the action handling the form post with the ValidateInputAttribute:

[ValidateInput(false)]
[HttpPost]
public ActionResult SomeActionToHandleFormSubmission() 
{
    ...
}

Rather than switching off ValidateInput , as then you are open to vulnerabilities, you could use Javascript to encode the special charaters. This allows you to not throw the error message:

A potentially dangerous Request.Form value was detected from the client

for some simple inputs (such as emails in the format MyName<[email protected]>) but still having the built in MVC function to watch your back for other script injection. Off course if you need the input in the correct format at the server you will have to decode it and be careful if you are outputting it again

If already using jQuery, this can easily be added to all input fields as follows

$("input").on("change", function() {
    $(this).val(htmlEscape($(this).val()));
});

htmlEscape here is my own function to change the special chars.

function htmlEscape(str) {
    return str
        .replace(/</g, '&lt;')
        .replace(/>/g, '&gt;');
}

Depending on your needs you may want to escape all characters using the built in Javascript function encodeURI or extend the above function such as:

function htmlEscape(str) {
    return str
        .replace(/&/g, '&')
        .replace(/"/g, '"')
        .replace(/'/g, ''')
        .replace(/</g, '&lt;')
        .replace(/>/g, '&gt;');
}

Are you using 4.0? If so you will also need

<system.web>' 
<httpRuntime requestValidationMode="2.0"/>'

in your config.web file.