ASP.NET MVC3, Html.TextAreaFor without encoding?

2019-02-17 06:04发布

站内问答 / 前端开发
590 3 6

How can I use the Html.TextAreaForwithout encoding it? I know it's a security risk but I have a separate class that sanitizes any text.

Example:

@Html.TextAreaFor(model =>model.PostBodyText, 10, 100, 1)

I'm planning to use it with TinyMCE.

Regards RaVen

UPDATE I'm using the new Razor View Engine.

3条回答
Juvenile、少年°
2楼-- · 2019-02-17 06:32

As an alternative option you might wanna use ValidateInput as described here. An example in MVC style would be:

[ValidateInput(false)]
public ActionResult Method(){
     return View()
}

[ValidateInput(false)]
[AcceptVerbs(HttpVerbs.Post)]
public ActionResult Method(){
    // your stuff here
    RedirectToAction("index"); // or something 
}

I think that is more the MVC way to go. Now your controller tells you there is a security issue in that controller method. Your view can be any normal view using html helpers etc. Note that this enables all sorts of input, not filtered. It will work with TinyMCE though.

//edit

woops I see you need to add

<httpRuntime requestValidationMode="2.0"/>

to webconfig as well in new versions of MVC. Guess it might not be the way to go.

查看更多
0人赞 添加讨论(0) 举报
3楼-- · 2019-02-17 06:43

You will need to roll your own:

<textarea cols="100" id="PostBodyText" name="PostBodyText" rows="10">
    @MvcHtmlString.Create(Model.PostBodyText)
</textarea>

Of course in terms of security this could be very dangerous as your site is now vulnerable to XSS attacks. So the question is why having a separate class that sanitizes all the text when you can simply rely on the HTML helpers to do the job for you?

查看更多
0人赞 添加讨论(0) 举报
淡お忘
4楼-- · 2019-02-17 06:43

Use [AllowHtml] on the model property. As I learned in In ASP.NET MVC 3, how do I get at the model using Razor Syntax in a Create() View?.

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(6)