Oftentimes an MVC application needs to POST text back that a user has entered into a text field or textarea. In a project I am working on I am using the TinyMCE WYSIWYG text editor to allow users to write articles. The editor allows for HTML tags such as

, , , etc., and when submitting the form I have run across the infamous, “A potentially dangerous Request.Form value was detected” error. So, how do you get around this? You want the user to be able to use some HTML, but you need to secure your site as well from scripting attacks.

Enter the [ValidateInput(false)] attribute.

Adding this attribute to each of the ActionResults where you are expecting HTML tags to come in, will allow the Controller to continue with the action. This will work most of the time but is not exactly bulletproof for protecting your site.

By doing a string.Replace() on the incoming content, and checking for suspicious and/or malicious code, you can secure your site a bit more.

   1: [ValidateInput(false)]

   2: [HttpPost]

   3: public ActionResult Create(Article article, FormCollection collection)

   4: {

   5:   var author = HttpContext.User.Identity.Name;

   6:   var member = _appHelpers.GetAuthenticatedMember(author);

   7:   article.ArticleContent = 

   8:       article.ArticleContent.Replace("<script", "[script")

   9:       .Replace("", "[/script]");

  10:   _repo.Create(article);

  11:   return RedirectToAction("Edit", new {articleId = article.Id});

  12: }

Lines 8 and 9 in the above code will replace “” tags with innocuous [script strings making sure no javascript can run in the code which is submitted. You can also continue along this line to remove any SQL injection attack strings as well.

A nice little method to put in your tool belt. Be sure to use it on your Edit Actions as well.

Happy Programming from ComponentOne