Oftentimes an MVC application needs to POST text back that a user has entered into a text field or textarea. In a project I am working on I am using the TinyMCE WYSIWYG text editor to allow users to write articles. The editor allows for HTML tags such as
, , , etc., and when submitting the form I have run across the infamous, “A potentially dangerous Request.Form value was detected” error. So, how do you get around this? You want the user to be able to use some HTML, but you need to secure your site as well from scripting attacks.
Enter the [ValidateInput(false)] attribute.
Adding this attribute to each of the ActionResults where you are expecting HTML tags to come in, will allow the Controller to continue with the action. This will work most of the time but is not exactly bulletproof for protecting your site.
By doing a string.Replace() on the incoming content, and checking for suspicious and/or malicious code, you can secure your site a bit more.