So the scenario is this. You have an ASP.Net form field that you want the user to submit HTML to the server with. By default ASP.Net won’t allow this for security reasons. You could get around this by setting ValidateRequest=”false” in the page declaration or in the web.config. But, if you are developing a user control, you don’t want to make the developer using your control have to manage this. Another reason may be that subsequent developers may not be aware that you’ve deliberately opened up a security hole that has to be managed. So, you want to keep ValidateRequest enabled, but how?
ValidateRequest is happy, our users are happy, our peers are happy, heck we’re happy.
In my control’s OnPageLoad I call this:
// this way it shows up once per page that the control is on
var content = document.getElementById(name).value
content = content.replace(/</g,'<');
content = content.replace(/>/g,'>');
document.getElementById(name).value = content;
ClientScriptManager cm = Page.ClientScript;
In my control’s ASPX I’m using a gridview. I wrap the gridview’s update asp:LinkButton in a span tag, and in that span tag I put my OnClickEvent.
<span onclick="encodeMyHtml('<%# UniqueID.Replace("$", "_") %>_FormViewContentManager_ContentTextBox')">
<asp:LinkButton ID="UpdateButton" runat="server" CausesValidation="True" CommandName="Update" Text="[Publish]" />
When I get the input on the server side I simply call a couple of Replace methods on the input string to decode the HTML, and I’m done.