1

For example, a user creates a new question on a forum.

I send ajax to the server, then I use HtmlEncode to exclude the HTML code before saving it in the database.

Is it possible that HtmlEncode would be used automatically when receiving a request?

Also, when using the attribute (for example [HtmlAllowed]) you can allow html code in request.

Thanks

Improve this question

2 Answers 2

Reset to default
1

You can achieve it using custom model binder, every string property or string parameter will go through this method when ASP.NET attempts to bind request to parameters of action method

public class StringBinder : IModelBinder
{
    public object BindModel(ControllerContext controllerContext, ModelBindingContext bindingContext)
    {
        ValueProviderResult value = bindingContext.ValueProvider.GetValue(bindingContext.ModelName);
        bindingContext.ModelState.SetModelValue(bindingContext.ModelName, value);

        var str = (string)value?.ConvertTo(typeof(string));

        str = HttpUtility.HtmlEncode(str);
        return str;
    }
}

And in Application_Start()

ModelBinders.Binders.Add(typeof(string), new StringBinder());
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

This code throws an exception HttpRequestValidationException even with [AllowHtml] or [ValidateInput(false)]. Found a solution to use Request.Unvalidated
yeah, looks like my my input strings were already processed, so it went through binder fine. glad it helped to find correct solution. you might want to accept your own answer
0

Thanks to Yegor Androsov, for pointing me to right direction.

This ModelBinder automaticaly encode all string properties, except that has [SafeHtml] attribute

public class SafeStringModelBinder : IModelBinder
{
    public object BindModel(ControllerContext controllerContext, ModelBindingContext bindingContext)
    {
        HttpRequestBase request = controllerContext.HttpContext.Request;
        string name = bindingContext.ModelName;
        string value = request.Unvalidated[name];

        Type holderType = bindingContext.ModelMetadata.ContainerType;
        if (holderType != null)
        {
            PropertyInfo propertyType = holderType.GetProperty(bindingContext.ModelMetadata.PropertyName);
            if (propertyType == null) return value;

            object[] attributes = propertyType.GetCustomAttributes(true);
            bool hasAttribute = attributes.Cast<Attribute>().Any(a => a.GetType() == typeof (SafeHtmlAttribute));

            if (!hasAttribute && !string.IsNullOrEmpty(value))
            {
                value = HttpUtility.HtmlEncode(value);
            }
        }

        return value;
    }
}

[AttributeUsage(AttributeTargets.Property)]
public class SafeHtmlAttribute : Attribute { }
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.