0

How i can allow client to use html tags in MVC 4? I would like to save records to the database and when it extract in view allow only some HTML tags (< b > < i > < img >) and others tags must be represented as text.

My Controller:

    [ValidateInput(false)]
    [HttpPost]
    public ActionResult Rep(String a)
    {
            var dbreader = new DataBaseReader();
            var text = Request["report_text"];
            dbreader.SendReport(text, uid, secret).ToString();
           ...
    }

My View:

@{
    var dbreader = new DataBaseReader();
    var reports = dbreader.GetReports();
    foreach (var report in reports)
    {

           <div class="report_content">@Html.Raw(report.content)</div>
           ...

    }
}
Improve this question
3
  • 1
    I don't get what you want, can you add some further explanation? Commented Jan 13, 2014 at 11:12
  • 1
    Are you getting error with @Html.Raw? Commented Jan 13, 2014 at 11:13
  • No, I don't get error, but now my site vulnerable for XSS atacks Commented Jan 13, 2014 at 12:55

5 Answers 5

Reset to default
1

You can replace all < chars to HTML entity:

tags = tags.Replace("<", "&lt;");

Now, replace back only allowed tags:

tags = tags
    .Replace("&lt;b>", "<b>")
    .Replace("&lt;/b>", "</b>")
    .Replace("&lt;i>", "</i>")
    .Replace("&lt;/i>", "</i>")
    .Replace("&lt;img ", "<img ");

And render to page using @Html.Raw(tags)

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

If you are trying some property of your view model object to accept Html text, use AllowHtmlAttribute

[AllowHtml]
public string UserComment{ get; set; }

and before binding to the view

model.UserComment=model.UserComment.Replace("<othertagstart/end>",""); //hard
Improve this answer

Comments

0

Turn off validation for report_text (1) and write custom HTML encoder (2):

Step 1:

Request.Unvalidated().Form["report_text"]

More info here. You don't need to turn off validation for entire controller action.

Step 2:

Write a custom html encoder (convert all tags except b, i, img to e.g.: script -> ;ltscript;gt), since you are customizing a default behaviour of request validation and html tag filtering. Consider to safeguard yourself from SQL injection attacks by checking SQL parameters passed to stored procedures/functions etc.

Improve this answer

Comments

0

You may want to check out BBCode BBCode on Wikipedia. This way you have some control on what is allowed and what's not, and prevent illegal usage.

This would work like this:

  1. A user submits something like 'the meeting will now be on [b]monday![/b]'
  2. Before saving it to your database you remove all real html tags ('< ... >') to avoid the use of illegal tags or code injection, but leave the pseudo tags as they are.
  3. When viewed you convert only the allowed pseudo html tags into real html
Improve this answer

Comments

0

I found solution of my problem:

            html = Regex.Replace(html, "&lt;b&gt;(.*?)&lt;/&gt;", "<b>$1</b>");
            html = Regex.Replace(html, "&lt;i&gt;(.*?)&lt;/i&gt;", "<i>$1</i>");
            html = Regex.Replace(html, "&lt;img(?:.*?)src=&quot;(.*?)&quot;(?:.*?)/&gt;", "<img src=\"$1\"/>");
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.