How to submit HTML without disabling ValidateRequest

So the scenario is this. You have an ASP.Net form field that you want the user to submit HTML to the server with. By default ASP.Net won’t allow this for security reasons. You could get around this by setting ValidateRequest=”false” in the page declaration or in the web.config. But, if you are developing a user control, you don’t want to make the developer using your control have to manage this. Another reason may be that subsequent developers may not be aware that you’ve deliberately opened up a security hole that has to be managed. So, you want to keep ValidateRequest enabled, but how?

To do this I wrote a little ‘encodeMyHtml’ JavaScript function that is called on the OnClick event when the HTML form’s submit button is clicked. The function encodes the user’s HTML input for the field I’ve specified into a harmless string before it is passed to the server. When I receive that input on the server I simply decode and go on my way.

ValidateRequest is happy, our users are happy, our peers are happy, heck we’re happy.

I add my ‘encodeMyHtml’ JavaScript function in my user control’s OnPageLoad method. This way I can make sure that my JavaScript is added to the parent page only once, no matter how many controls are on the page.

In my control’s OnPageLoad I call this:

private void addEditorJavaScript()
{
    // create our HTML encoder javascript function
    // this way it shows up once per page that the control is on
    string scr = @"<script type='text/javascript'>function encodeMyHtml(name){
                var content = document.getElementById(name).value
                content = content.replace(/</g,'<');
                content = content.replace(/>/g,'>');
                document.getElementById(name).value = content;
            }</script>";

    // add the javascript into the Page
    ClientScriptManager cm = Page.ClientScript;
    cm.RegisterClientScriptBlock(this.GetType(), "GlobalJavascript", scr);
}

In my control’s ASPX I’m using a gridview. I wrap the gridview’s update asp:LinkButton in a span tag, and in that span tag I put my OnClickEvent.

<span onclick="encodeMyHtml('<%# UniqueID.Replace("$", "_") %>_FormViewContentManager_ContentTextBox')">
    <asp:LinkButton ID="UpdateButton" runat="server" CausesValidation="True" CommandName="Update" Text="[Publish]" />
</span><span onclick="encodeMyHtml('  

When I get the input on the server side I simply call a couple of Replace methods on the input string to decode the HTML, and I’m done.

This entry was posted in Web & Software Development and tagged , . Bookmark the permalink.

2 Responses to How to submit HTML without disabling ValidateRequest

  1. Pingback: Retrive a TextBox using JavaScript - Question Lounge

  2. Naresh says:

    I don’t think so we are encode HTML text as per suggested in your blog. and I also tried with same JavaScript function by change value of control and submit as you mentioned above but I still same get error.

    Actually I am using TinyMCE editor in me site for CMS(Content management), any other way to submit html text with ValidateRequest=”true” in asp.net ?

    Thank in advance,
    Naresh

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>