1

I have requirement of validating user input in a text box. Whenever a html tag is entered it should display the same view with friendly error message like "Cannot enter html tags."

The ways I have tried so far are:

  1. [ValidateInput(true)] on the Controller- It comes up with error "Potentially dangerous request"
  2. [ValidateInput(false)] on the Controller- It stores the value in the database-(I don't want this)
  3. In the view Model I placed a tag for the property [RegularExpression ( "<([A-Z][A-Z0-9]*)\b[^>]*>(.*?)</\1>",ErrorMessage = "You have entered html…Html is not a valid input!" )]

any one had this this issue. If yes please let me know, how have you fixed that.

Thank you

Hari Gillala
  • 11,736
  • 18
  • 70
  • 117
  • What's didn't work about option 3? – bzlm Sep 12 '11 at 14:51
  • The regular expression should be what your input should match. So you should have the regular expression which does not have `<` or `>` – Tim B James Sep 12 '11 at 14:53
  • It complains about the Regular expression escape sequence-<([A-Z][A-Z0-9]*)\b[^>]*>(.*?)\1>-- Complains about the from last third character '\'-- Error Message Unrecognized escape sequence. – Hari Gillala Sep 12 '11 at 14:55

3 Answers3

3

You could use the [AllowHtml] attribute:

[AllowHtml]
[RegularExpression (@"^[^<>]*$", ErrorMessage = "You have entered html... Html is not a valid input!" )]
public string SomePropertyThatShouldNotAcceptHtml { get; set; }

Obviously before storing in the database you should ensure that the contents is safe:

[HttpPost]
public ActionResult Save(MyViewModel model)
{
    if (!ModelState.IsValid) 
    {
        // the model is invalid => redisplay view
        return View(model);
    }

    // the model passed validation => store in the database    
    ...
    return RedirectToAction("Success");
}

And if you are afraid of XSS you could use the AntiXSS library which will filter out all the dangerous scripts from the HTML. You could even write a custom model binder which will perform this step and automatically assign only a safe HTML value to the property.

Darin Dimitrov
  • 1,023,142
  • 271
  • 3,287
  • 2,928
  • It complains about the Regular expression escape sequence-<([A-Z][A-Z0-9]*)\b[^>]*>(.*?)\1>-- Complains about the from last third character '\'-- Error Message Unrecognized escape sequence. – Hari Gillala Sep 12 '11 at 15:02
  • @StewieFG, I have updated my answer with a new regexp. If you want to use your regexp, you could do this: `[RegularExpression (@"<([A-Z][A-Z0-9]*)\b[^>]*>(.*?)\1>",ErrorMessage = "You have entered html…Html is not a valid input!" )]`. Notice the `@` character in the beginning of the string sequence. – Darin Dimitrov Sep 12 '11 at 15:04
  • @StewieFG, the Regex compiles with `@`. If it doesn't work it's probably because it is incorrect. That's another question. I suggested you in my answer a regex which ensures that the input does not contain `<` and `>`. – Darin Dimitrov Sep 12 '11 at 15:15
0

Good morning this looks like an excellent starting point to be able to handle your requirement. Check out this article.

mreyeros
  • 4,359
  • 20
  • 24
0

It is working now by displaying the friendly error message. I have changed a little bit by adding Validateinput tag at the Post Action controller.

I have to add this in ViewModel 

[AllowHtml]
[RegularExpression (@"^[^<>]*$", ErrorMessage = "You have entered html... Html is not a valid input!" )]
public string SomePropertyThatShouldNotAcceptHtml { get; set; }

In Action Controller

I have to add the tag in the Post Event

[Validateinput(false)]

Thanks Darin.

Hari Gillala
  • 11,736
  • 18
  • 70
  • 117