I'm betting I'm using something incorrectly here...

My MVC3 application uses Pagedown to provide a javascript text editor, markdown converter, and live preview. I use its "santizer" object to strip potentially dangerous code just as suggested in instruction - you can see it at work in the demo.

The javascript code looks like this:

(function () {
    var converter1 = Markdown.getSanitizingConverter();
    var editor1 = new Markdown.Editor(converter1);
    editor1.run();
})();

This code transforms a marked textarea tag into an editor, and uses the santizing converter to strip bad stuff. In some ways it seems to be working. Examples:

• marquee tag as in the demo it is stripped properly.
• <p style="font-size:40em;">Super Big Text</p> is stripped to Super Big Text

But something is not correct... when I insert a fake javascript like so:

TEXT `<script type="text/javascript">alert("gotcha!");</script>` MORE TEXT

and post the form, it bombs out with a yellow screen of death:

Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted.

Is this string not already encoded safely like &lgt;script... etc.?

Question: What am I missing to ensure code blocks and inline code are properly transformed so that they may be posted to the server as a safe string?

What am I missing to ensure code blocks and inline code are properly transformed so that they may be posted to the server as a safe string?

Nothing. Or at least probably nothing, assuming you're creating the textarea with the correct output escaping, which you will be if using eg a Web Forms or MVC control.

The YSOD appears for any and all input content that looks like element markup, regardless of whether your application handles output escaping correctly or is vulnerable. It's not indicative of an XSS problem, it happens all the time.

If you want to allow user input that contains data that looks like element markup (and there's nothing intrinsically dangerous about that—you just have to get the output escaping right), turn off Request Validation. It is completely bogus as a real security feature and only really gives you a false sense of security; it is disappointing that Microsoft are pushing it, as it betrays a fatal misunderstanding of what HTML injection is.

Unfortunately disabling it gets more irritating under ASP.NET 4. You have to reset the old model with <httpRuntime requestValidationMode="2.0" /> and then add ValidateRequest="false" to the page.