0

I have a form with some checkbox type questions. The wording of the questions are fetched from a table in the DB. But there's HTML markup in them.

ID {PK} Question
1 What is your <strong> name <strong> ?
2 Another question with <br> HTML markup

I can render these questions without trouble although they have HTML markup. The problem occurs when user submits the form.

@using (Html.BeginForm("SaveQuestion", "QuestionController", FormMethod.Post))
    {
@for (int i = 0; i < Model.QuestionList.Count; i++)
{
    @Html.HiddenFor(m => Model.QuestionList[i].ID)
    @Html.HiddenFor(m => Model.QuestionList[i].Question)

    <div>
        @Html.CheckBoxFor(m => Model.QuestionList[i].IsDisplay)
        @Html.DisplayFor(m => Model.QuestionList[i].Question)
    </div>
}
<button type="submit">Save</button>
}

When the form is submitted I get the following error.

System.Web.HttpRequestValidationException (0x80004005): A potentially dangerous Request.Form value was detected from the client ....

The requirement force me to save these strings with markup in them. So how do I avoid this error? Is there a way to achieve the same with Unicode?

Improve this question
7
  • 2
    The normal response is, dont store HTML markup in your db values. The back end should not be responsible for holding UI information, you should restrict the functionality to only it's area of responsibility, so you can't break the ui, by modifying a backend parameter, or vice versa. You don't encourage SQL injection, because "That how I want to do it", as it will still cause a problem. Don't do this. The HTML that is relevant on your front end, should be created on your front end, stored there, and be immediately available to a programmer reading it. Commented Oct 22, 2023 at 16:15
  • 1
    Imagine you worked with another frontender, and he said "I want the colors to change on that text, but I can't find it in the code?" And you have to respond, "Did you write a script that updates the colors in the database, for the color change on the text?" He will rightly look at you like you are insane. And likely quit the job, if he has any sense left. Commented Oct 22, 2023 at 16:16
  • But if you absolutely want to ruin your codebase: stackoverflow.com/questions/42678990/… Commented Oct 22, 2023 at 16:18
  • Have you considered using Markdown instead of letting the user enter HTML? If you let them enter HTML, you will get problems with deviously-encoded cross-site scripting (XSS). Commented Oct 22, 2023 at 16:29
  • 1
    Probably two different things that might help you here - 1) why do you need to have a hidden field for the actual question text? Surely the only value that you actually need to save the user's response is the ID of the question, right? Otherwise, 2) you need to encode the question text when it's output to the user, probably using something like HttpUtility.HtmlEncode Commented Oct 22, 2023 at 21:55

1 Answer 1

Reset to default
0

You can use the AllowHtml attribute on the Question property of your model class. Something like (? I'm guessing a bit):

public class Question
{
    public int ID { get; set; }
    
    [AllowHtml]
    public string Question { get; set; }

You can also use the ValidateInput(false) attribute on the SaveQuestion method (Action) in the QuestionController, although that will turn off all the checking for all your fields.

You should be aware that these checks are there to prevent cross-site scripting attacks (XSS). If your website is public-facing (and even if not) you need to be very careful if you turn them off that someone malicious can't enter something like some JavaScript inside script tags that will somehow get executed and cause damage.

There's a discussion of these approaches and XSS in a previous answer on the site.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.