Rich Text Editors And ASP.NET MVC Dangerous Request.Form

Today I was asked to help out with some MVC bit’s as the company I work for are currently building a MVC based CMS. One of the developers had placed a rich html editor inside a form (http://tinymce.moxiecode.com/) but when the form was submitted we all we got back was the YSOD (Yellow screen of death).

RichText

YellowScreenOfDeath

The framework had detected that Html had been posted to the server and it was potentially dangerous (please see my previous post on xss/csrf http://www.dotnetguy.co.uk/post/2009/05/03/aspnet-e28093-security-10-helpful-pointers.aspx). As this particular page was part of an administration system and would only be used by developers and project managers to add and edit content on the site so I wanted to override this default fail safe.

To override the default behaviour of the framework all you have to do it add an attribute [ValidateInput(false)] to the method in the controller that will be processing the request.

using System.Web.Mvc;
            
            namespace MvcApplication1.Controllers
            {
                [HandleError]
                public class HomeController : Controller
                {
                    [ValidateInput(false)]
                    public ActionResult Index()
                    {
                        return View();
                    }
                }
            }

Although not the most complicated piece of code in the entire world I hope this will save someone some time.

On a side note when retrieving HTML code stored in a database and displaying it back to your end user always remember to use HTML.Encode() otherwise you could be in for a nice dose of XSS.

Tuesday, 2nd June, 2009 By Daniel Watson (asp.net mvc)
Tweet Me | Link To Facebook

Month List

Tag Cloud