1

Is it possible to handle the A potentially dangerous Request.Form value was detected from the client (Model.Title="<p>some text</p>"). system wide? Answers in this question suggest to add some validation on each attribute. I don't want to do that. Is it possible to redirect the user back to the form with an error message telling them they entered invalid input?

Edit: To clarify, I don't want to accept the HTML, I just want to show the user a friendly error message (like the ones for the validation of attributes).

Edit2: I know I can add attributes to my properties to allow HTML or disable the validation. Since there are a lot of forms, I don't want to pollute al my properties with [AllowHtml] or disable the validation (because I need validation). I'm looking for a way to intercept the MVC-flow and catch this error when it gets triggered.

Improve this question
2

2 Answers 2

Reset to default
1

If you don't want to accept the HTML, I think the only way is to allow the HTML to be submitted, and then check for the presence of any HTML tags server-side. If found, you would then return your user to the form with code like this:

if (input.Contains("<")) {
   Model.AddModelError("HTML_FOUND", "There is HTML in your input. Please remove the HTML before trying to submit again");
   return View();
}

It's probably possible to implement this system-wide by using a Filter https://msdn.microsoft.com/en-us/library/gg416513%28VS.98%29.aspx

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Before entering the controller the error gets thrown so this code is unreachable unless I provide each property with [AllowHtml]-attributes (which I don't want to do).
There it is! I didn't knew about filters. I'll check it out and accept when I got it working. Thnx!
0

option 1

[ValidateInput(false)]

add this on your action,this will disable all field html check.
option 2

[AllowHtml]

add this on the property you want allow html.this will only allow that property contains html,others not. but,if you action like 

public ActionResult Index(FormCollection form)

option 2 not work,you must use

public ActionResult Index(ModelXXX model)

because,this will use the modelbinder,and FormCollection not .

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.