Validation detected dangerous client input - post from TinyMCE in ASP.NET

Question

I get this error when I post from TinyMCE in an ASP.NET MVC view.

Error:

Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted

From googling, it says to just add a validateRequest in the Page directive at the top which I did, but I STILL get this error. As you can see, below is my code in the view:

<%@ Page validateRequest="false" Title="" Language="C#" MasterPageFile="~/Views/Shared/Site.Master" Inherits="System.Web.Mvc.ViewPage" %>

Answer 1

Use the decorator [ValidateInput(false)].

You will then want to write a HTMLEncode method to make it safe.

Let me know if you want me to post the one I use.

Added the Encode I use

    public static class StringHelpers
{
    public static string HtmlEncode(this string value)
    {
        if (!string.IsNullOrEmpty(value))
        {
            value = value.Replace("<", "&lt;");
            value = value.Replace(">", "&gt;");
            value = value.Replace("'", "&apos;");
            value = value.Replace(@"""", "&quot;");
        }
        return value;
    }

    public static string HtmlDecode(this string value)
    {
        if (!string.IsNullOrEmpty(value))
        {
            value = value.Replace("&lt;", "<");
            value = value.Replace("&gt;", ">");
            value = value.Replace("&apos;", "'");
            value = value.Replace("&quot;", @"""");
        }

        return value;
    }
}

Answer 2

Try this solution. simply add to TinyMce control

tinyMCE.init({
...
encoding : "xml"
});

http://wiki.moxiecode.com/index.php/TinyMCE:Configuration/encoding

http://blog.tentaclesoftware.com/archive/2010/07/22/96.aspx

Answer 3

Try using the [AllowHtml] attribute in your model.

class MyModel{
 [AllowHtml]
 public string Content{get;set;}
}

Answer 4

Annoyingly in version 4 of tinymce they seem to have removed the encoding: xml option.

I ended up using a javascript HTML encoding function from this answer, and on my submit button I encode the contents of the textarea before the form submits, by using tinymce's getContent and setContent methods

Answer 5

I had the same problem. I didn't want to disable ASP.NET MVC validation feature, so I kept looking until I reached this solution:

At the tinyMCE plugin code encode your content (I'm using the older version)

tinyMCE.init({
   ...
   encoding: "xml"
});

And after this I didn't get any more the application validation error. Then I came up with another problem when I edited my form the code would come up with the html tags

<strong>My input value</strong>

instead of this

My input value

So, I had to decode the html for that field when getting my values at the Controller, like this:

...    
entity.field = HttpUtility.HtmlDecode(entity.field);