ASP.NET MVC3, Html.TextAreaFor without encoding?

Question

How can I use the Html.TextAreaForwithout encoding it? I know it's a security risk but I have a separate class that sanitizes any text.

Example:

@Html.TextAreaFor(model =>model.PostBodyText, 10, 100, 1)

I'm planning to use it with TinyMCE.

Regards RaVen

UPDATE I'm using the new Razor View Engine.

Answer 1

You will need to roll your own:

<textarea cols="100" id="PostBodyText" name="PostBodyText" rows="10">
    @MvcHtmlString.Create(Model.PostBodyText)
</textarea>

Of course in terms of security this could be very dangerous as your site is now vulnerable to XSS attacks. So the question is why having a separate class that sanitizes all the text when you can simply rely on the HTML helpers to do the job for you?

Answer 2

As an alternative option you might wanna use ValidateInput as described here. An example in MVC style would be:

[ValidateInput(false)]
public ActionResult Method(){
     return View()
}

[ValidateInput(false)]
[AcceptVerbs(HttpVerbs.Post)]
public ActionResult Method(){
    // your stuff here
    RedirectToAction("index"); // or something 
}

I think that is more the MVC way to go. Now your controller tells you there is a security issue in that controller method. Your view can be any normal view using html helpers etc. Note that this enables all sorts of input, not filtered. It will work with TinyMCE though.

//edit

woops I see you need to add

<httpRuntime requestValidationMode="2.0"/>

to webconfig as well in new versions of MVC. Guess it might not be the way to go.

Answer 3

Use [AllowHtml] on the model property. As I learned in In ASP.NET MVC 3, how do I get at the model using Razor Syntax in a Create() View?.