1

I have a text field on my form that can contain html code and code with < > characters. I would like to store this in the database but first I want to encode it so it can be safely accepted without needing to do [allowHtml}.

Here's the code I use to send the data. Note that I just send one field at a time and the data that may or may not contain html code is in the javascript val variable:

   $.ajax({
        cache: false,
        url: "/Admin/" + obj.table + "s/JsonUpdate",
        dataType: 'json',
        type: 'POST',
        data: { pk: pk, rk: rk, fld: type, val: val }
    })

On the server side controller I have this code:

   [HttpPost]
   public JsonResult JsonUpdate(string pk, string rk, string fld, string val) {
   Content content = null;
            try {
                if (fld == "TempRowKey") {

One thing suggested was for me to use a viewModel and [AllowHTML] but if the data is encoded then why do I have to use [AllowHtml]

Here is what happened when I tried to send <x>. The data sent was:

pk=0006000&rk=0100&fld=Notes&val=%3Cx%3E

Then the server replied with:

 Server Error in '/' Application
 A potentially dangerous Request.Form value was detected from the client (val="<x>").
Improve this question
2
  • jQuery/Javascript/XHR will automatically encode the value to be sent over HTTP correctly. The clientside part should not need to do more than that, the rest is a serverside job. As possibly malicious content could be sent to the server, the escaping for the database needs to be done there - show us your serverside code. Commented Aug 5, 2012 at 5:10
  • @Bergi - I updated my question. I did see the data is encoded (thanks) but I wonder why it's rejected by the controller. Commented Aug 5, 2012 at 5:25

2 Answers 2

Reset to default
1

Use a view model with [AllowHtml], then encode if you want before storing in the database. But why bother? Store as-is in the database and when time comes to output the value stored in the database on a webpage simply HTML encode it. That's what the @ Razor operator does by default.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Hello Darin, The thing is I don't want to encode it on the view. I want the text to show up as <x,y>. My problem was it was being stopped when it got to the controller.
Yes, that's the reason you should use a view model and decorate the Val property with the [AllowHtml] attribute.
1

As long as you don't override contentType or processData of the jQuery.ajax request (in your example you don't), data sent would be urlencoded by default:

When sending data to the server, use this [to set] content type. Default is "application/x-www-form-urlencoded; charset=UTF-8", which is fine for most cases.

This could be confirmed by using Firebug or similar to inspect the request submitted.

Update:

It looks like you're trying to circumvent the limitation of not having [AllowHTML]. Whatever your reason is for not using it in the first place, you could manually encodeURI the data submitted and then revert this on the server.

Regarding your follow-up question ...but if the data is encoded then why do I have to use [AllowHtml]:

When data is submitted with jQuery.ajax, its content type is set to application/x-www-form-urlencoded by default. This encoding only applies during transfer - think the representation of your data is urlencoded, not the actual data. How is this different? When your server receives the request, it recognizes the content type and decodes it before further processing (and validation) occurs. Basically the lower-level handling of data transfer on the protocol level is handled by the framework outside of the code you wrote.

If you manually encode the data on the client before submission, that would be how your server application will receive it, without detecting any dangerous values. Note that during transfer the string will appear effectively double-encoded, but that doesn't affect the end result.

Improve this answer

2 Comments

Thanks but can you tell me how I can set the content type with the above ajax?
The default setting is the correct one. You can verify this by looking at the request body in Web Inspector/Firefox etc. If data submitted is not urlencoded, you may want to add a better code sample, preferably on jsfiddle. If data submitted is urlencoded but is not interpreted as such by the server, that's a completely different scenario.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.