So the scenario is this. You have an ASP.Net form field that you want the user to submit HTML to the server with. By default ASP.Net won’t allow this for security reasons. You could get around this by setting ValidateRequest=”false” in the page declaration or in the web.config. But, if you are developing a user control, you don’t want to make the developer using your control have to manage this. Another reason may be that subsequent developers may not be aware that you’ve deliberately opened up a security hole that has to be managed. So, you want to keep ValidateRequest enabled, but how?
To do this I wrote a little ‘encodeMyHtml’ JavaScript function that is called on the OnClick event when the HTML formās submit button is clicked. The function encodes the user’s HTML input for the field I’ve specified into a harmless string before it is passed to the server. When I receive that input on the server I simply decode and go on my way.
ValidateRequest is happy, our users are happy, our peers are happy, heck we’re happy.
I add my ‘encodeMyHtml’ JavaScript function in my user control’s OnPageLoad method. This way I can make sure that my JavaScript is added to the parent page only once, no matter how many controls are on the page.
In my controlās OnPageLoad I call this:
private void addEditorJavaScript()
{
// create our HTML encoder javascript function
// this way it shows up once per page that the control is on
string scr = @"<script type='text/javascript'>function encodeMyHtml(name){
var content = document.getElementById(name).value
content = content.replace(/</g,'<');
content = content.replace(/>/g,'>');
document.getElementById(name).value = content;
}</script>";
// add the javascript into the Page
ClientScriptManager cm = Page.ClientScript;
cm.RegisterClientScriptBlock(this.GetType(), "GlobalJavascript", scr);
}
In my controlās ASPX Iām using a gridview. I wrap the gridviewās update asp:LinkButton in a span tag, and in that span tag I put my OnClickEvent.
<span onclick="encodeMyHtml('<%# UniqueID.Replace("$", "_") %>_FormViewContentManager_ContentTextBox')">
<asp:LinkButton ID="UpdateButton" runat="server" CausesValidation="True" CommandName="Update" Text="[Publish]" />
</span><span onclick="encodeMyHtml('
When I get the input on the server side I simply call a couple of Replace methods on the input string to decode the HTML, and Iām done.