Decode html tag so that it can be read when it goes back to the server more specifically the controller

0
votes

My engine is Aspx.

How can I decode/encode the html tags that is in my text box. I have the html tag
to make it more readable. I tried the ValidationRequest and the htmlDecode(freqQuestion.Answer) but no luck. I just keep getting the same message.

Server Error in '/Administrator' Application.

A potentially dangerous Request.Form value was detected from the client (QuestionAnswer="...ics Phone:
123-456-7890

Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. To allow pages to override application request validation settings, set the requestValidationMode attribute in the httpRuntime configuration section to requestValidationMode="2.0". Example: . After setting this value, you can then disable request validation by setting validateRequest="false" in the Page directive or in the configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case. For more information, see http://go.microsoft.com/fwlink/?LinkId=153133.

View Page

  <%@ Page Title="" Language="C#" MasterPageFile="~/Views/Shared/Site.Master" validateRequest="false" Inherits="System.Web.Mvc.ViewPage<dynamic>" %>


<asp:Content ID="Content1" ContentPlaceHolderID="TitleContent" runat="server">
    EditFreqQuestionsUser
</asp:Content>

<asp:Content ID="Content2" ContentPlaceHolderID="MainContent" runat="server">

<script type="text/javascript">
    $(document).ready(function () {
        $("#freqQuestionsUserUpdateButton").click(function () {
            $("#updateFreqQuestionsUser").submit();
        });
    });
</script>
<h2>Edit Freq Questions User </h2>

<%Administrator.DarkstarAdminProductionServices.FreqQuestionsUser freqQuestionsUser = ViewBag.freqQuestionsUser != null ? ViewBag.freqQuestionsUser : new Administrator.DarkstarAdminProductionServices.FreqQuestionsUser(); %>
<%List<string> UserRoleList = Session["UserRoles"] != null ? (List<string>)Session["UserRoles"] : new List<string>(); %>
<form id="updateFreqQuestionsUser" action="<%=Url.Action("SaveFreqQuestionsUser","Prod")%>" method="post">
    <table> 
        <tr>
            <td colspan="3" class="tableHeader">Freq Questions User Details <input type ="hidden" value="<%=freqQuestionsUser.freqQuestionsUserId%>" name="freqQuestionsUserId"/> </td>
        </tr>
         <tr>
            <td colspan="2" class="label">Question Description:</td>
            <td class="content">
                <input type="text" maxlength="2000" name="QuestionDescription" value="<%=freqQuestionsUser.questionDescription%>" />
            </td>
        </tr>
         <tr>
            <td colspan="2" class="label">QuestionAnswer:</td>
            <td class="content">
                <input type="text" maxlength="2000" name="QuestionAnswer" value="<%=Server.HtmlDecode(freqQuestionsUser.questionAnswer)%>" />
            </td>
        </tr>
        <tr>
            <td colspan="3" class="tableFooter">
                    <br />
                    <a id="freqQuestionsUserUpdateButton" href="#" class="regularButton">Save</a>
                    <a href="javascript:history.back()" class="regularButton">Cancel</a>
            </td> 
        </tr>
    </table>
</form>
</asp:Content>

Controller

  [AuthorizeAttribute(AdminRoles = "EditFreqQuestionsUser")]
    public ActionResult SaveFreqQuestionsUser(string QuestionDescription, string QuestionAnswer)
    {
        Guid freqQuestionsUserId = Request.Form["freqQuestionsUserId"] != null ? new Guid(Request.Form["freqQuestionsUserId"]) : Guid.Empty;


        //load agreement eula ref
        AdminProductionServices.FreqQuestionsUser freqqQuestionsUser = Administrator.Models.AdminProduction.FreqQuestionsUser.LoadFreqQuestionsUser(freqQuestionsUserId, string.Empty, string.Empty)[0];

        freqqQuestionsUser.questionDescription = QuestionDescription;
        freqqQuestionsUser.questionAnswer = QuestionAnswer;

        //save it
               Administrator.Models.AdminProduction.FreqQuestionsUser.addFreqQuestionsUser(freqqQuestionsUser);

        return RedirectToAction("SearchFreqQuestionsUser", "Prod", new { FreqQuestionsUserId = freqQuestionsUserId });
    }
1
c#htmlasp.net-mvc-3html-encode
Just FYI, <td colspan="2" class="label">Question Description:</td> should be <td colspan="2" class="label"><label for="QuestionDescription">Question Description:</label></td> and <input type="text" maxlength="2000" name="QuestionDescription" value="<%=freqQuestionsUser.questionDescription%>" /> should be <input type="text" maxlength="2000" name="QuestionDescription" value="<%=freqQuestionsUser.questionDescription%>" id="QuestionDescription" />. In conclusion, I added <label for="QuestionDescription">Question Description</label> and I added the id="QuestionDescription" to the input.David Bélanger
Whats the major difference? just curiousYusuf
Not much. Just added a real label. When you'll click the text, it'll auto-focus the input. Just a friendly thing each website should have...David Bélanger
@Jeremy: not much protection, anyone can peek into the history :-)Fyodor Soikin
@Jeremy: Saying that probably drew a lot more attention to the phone number than just doing it quietly would have. ;-)Chris

1 Answers

1
votes

The ValidateRequest directive doesn't work with MVC, because, unlike in WinForms, the .aspx file is not the entity that receives the request. The controller is. Consequently, the controller is where you should disable validation. Just apply the [ValidateInput (false)] attribute to your action or the whole controller, and the runtime will pass your tags through.