locked
HTML characters RRS feed

  • Question

  • User1029764681 posted

    So I have hotels section to my webapp that we keep track of information on the hotels we use.

    When an end user is updating/inserting into a string field, they copied an email address.

    this email address in the textarea box got put in as <user@user.com>  This blows up EF.

    I could grab that column and then server.htmlencode before the insert, and then I guess have to decode when I display it.  Is there a better way to allow this text to be entered?

    Thursday, August 22, 2019 2:14 PM

Answers

  • User1029764681 posted

    Incase anyone find this... not at EF issue at all.  I was able to update my class with the "Allow HTML" attribute

            [Display(Name = "Transportation Information")]
            [AllowHtml]
            public string TransportationInformation { get; set; }

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, August 22, 2019 6:40 PM

All replies

  • User753101303 posted

    Hi,

    fmrock164

    This blows up EF.

    Instead just tell what happens without any interpretation to avoid a possible misunderstanding on your side and then on our side about what actually happens. EF shouldn't have any problem with that.

    I suspect you are rather running into https://docs.microsoft.com/en-us/aspnet/whitepapers/request-validation ? If really needed it could be disabled and you could then validate the mail address on the server side. The accepted syntax is described at https://docs.microsoft.com/en-us/dotnet/api/system.net.mail.mailaddress?view=netframework-4.8 and you could use this to create your own validation based maybe on the usual TryParse approach...

    edit: a bit old and doesn't mention that since 4.5 you can also use https://docs.microsoft.com/en-us/dotnet/api/system.web.ui.control.validaterequestmode?redirectedfrom=MSDN&view=netframework-4.8#System_Web_UI_Control_ValidateRequestMode to disable this for a single control.

    Thursday, August 22, 2019 2:36 PM
  • User1029764681 posted

    Sorry.. had my custom errors on.. so the real error looks like.. which is an MVC error not EF.

    A potentially dangerous Request.Form value was detected from the client (TransportationInformation="<test>").

    Description: ASP.NET has detected data in the request that is potentially dangerous because it might include HTML markup or script. The data might represent an attempt to compromise the security of your application, such as a cross-site scripting attack. If this type of input is appropriate in your application, you can include code in a web page to explicitly allow it. For more information, see http://go.microsoft.com/fwlink/?LinkID=212874.

    Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (TransportationInformation="<test>").

    Thursday, August 22, 2019 3:06 PM
  • User1029764681 posted

    Incase anyone find this... not at EF issue at all.  I was able to update my class with the "Allow HTML" attribute

            [Display(Name = "Transportation Information")]
            [AllowHtml]
            public string TransportationInformation { get; set; }

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, August 22, 2019 6:40 PM