MVC Html Encoding / Decoding

MVC Html Encoding / Decoding

airmasterairmaster Posts: 72Questions: 15Answers: 2

I am encountering an error in MVC regarding the saving of a form that is a TextArea and uses TinyMCE for editing. When saving the data, I get an error: "System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client....", which is protection from XSS.

My thought is to apply some encoding before submission, and decoding on the form load. Are there any examples on how to do that? I tried change the value on the 'initSubmit' event, using either editor.val() or editor.field(,), but the first through a

<

p> on anyway, and the second did nothing (after calling an encoding function.

What is the right way to do this? Should I do it server side? client side? Can you point me in a direction.

Answers

  • airmasterairmaster Posts: 72Questions: 15Answers: 2

    I did try the [AllowHtml] tag on the field, but this is bypassed. Maybe datatables calls the validation routine separately.

  • allanallan Posts: 63,696Questions: 1Answers: 10,500 Site admin

    In .NET Framework you can use the UnvalidatedRequestValues values. You access that from the Request object using request.Unvalidated.

    Allan

  • airmasterairmaster Posts: 72Questions: 15Answers: 2

    Okay, for MVC I did this: var request = HttpContext.Request.Unvalidated.Form;

    Although given the quite limited access to my tool, I am unlikely to have any security issues...am I potentially exposting myself to any issues doing this? Also, why didn't the [AllowHtml] tag not work?

  • airmasterairmaster Posts: 72Questions: 15Answers: 2

    Am I correct, looking at the actual DB entries, that Datatables takes care of this automatically?

    I did take a look at the documentation, but I didn't know about the Unvalidated option.

  • allanallan Posts: 63,696Questions: 1Answers: 10,500 Site admin

    Also, why didn't the [AllowHtml] tag not work?

    The reflection we use in Editor doesn't currently look for that attribute. I actually wasn't aware of it! I've added it to the list.

    Am I correct, looking at the actual DB entries, that Datatables takes care of this automatically?

    Yes it should. However, the Microsoft XSS protection is quite aggressive so if you want to be certain the data is not transformed us the Field.Xss() method - see here.

    Allan

  • airmasterairmaster Posts: 72Questions: 15Answers: 2

    I am not sure how to use the Field.Xss method. Is that server or client side? The link to the .NET side is dead.

  • allanallan Posts: 63,696Questions: 1Answers: 10,500 Site admin

    Sorry - its server-side. The API reference for it is here.

    You'd use something like:

    var editor = new Editor(...)
      .Model<...>()
      .Field(
        new Field('myField').Xss(false)
      );
    

    Allan

This discussion has been closed.