Current Article
Industry Buzz
Social Networking
Featured Articles
Browse Content >
Back to Home

Allowing HTML Formatted User Input in ASP.NET

Geordie Konrad
ASP.NET forms automatically reject input containing HTML tags. However, there are times when we need to allow a user to format their input - such as in comment forms. For this, we use the HtmlEncode utility method. Read on for this quick fix.

HTML Tags in User Input

Sometimes you want to let your users input text that includes custom formatting with HTML tags. For example, the rich text input fields that we are using for our commenting engine will allow you to use the <b> or <i> tags to modify your comment.

If you include, <b>Bold Text</b> in your comment, it will be displayed as Bold Text.

The problem is that, by default, ASP.NET will reject this type of input when it automatically performs a request validation when the input is submitted. To get around this, all you have to do is turn off the request validation and create a function that will search the input and allow through the types of HTML tags that you want your users to have access to. Before writing the input to a database, make sure to HTML-encode it. This will ensure that any malicious code that may be part of the input will be handled as text and not be executed.

The Quick Solution

If you want to allow HTML code to be submitted in any form on the page, you can add a simple attribute to the Page directive. Here's the code. 

<%@ Page Language="C#" ValidateRequest="false"%>

The key part to this snippet is the ValidateRequest="false". What this essentially does is tells the ASP.NET validator to stop looking for HTML/XML tags that could be potentially dangerous.

In general, this is not recommended as it opens your site up to HTML injection issues when rendering a page. A more refined approach is implementing HTMLEncoding for individual input fields.

The Best Solution

Create a function that will handle the click event of the submit button. In this function, initialize a StringBuilder object and set it equal to the HTML-encoded version of the input string. Now, go back and search the StringBuilder for the tags that you want to allow and change those back to the original HTML tag.

The following snippet shows the .aspx page code for this technique. It implements a multiline textbox that allows the user to include <b> and <i> html tags to format his input. 

<html>
  <body>
    

      

        
        
        
        
      

    

  </body>
</html>

And now, in the .aspx code handle the button click event as follows.

Conclusion

Now, users can enter HTML formatted input into the multiline textbox. This quick fix can be used for any input element and is a great way to allow for formatted comments.

Share Article

User Comments

Gravatar
anon
3/17/2009
"In general, this is not recommended as it opens your site up to HTML injection issues when rendering a page. A more refined approach is implementing HTMLEncoding for individual input fields. "

Yeah, right. The whole concept of automatically rejecting any input with HTML in it is just ridiculous. The correct way is to escape stuff when outputting - not reject it when it's being input.
Gravatar
Kam
8/13/2009
dfgjhdfgh
Gravatar
hjkh
10/12/2009
fgjfgh
Gravatar
Rafay Bin Ali
12/10/2009
Your second code would still require validaterequest to be set to false, wouldnt it????
Gravatar
Jeff
1/5/2010
Not only would the second example still require validaterequest to be set to false but this code won't work on tags that have style attributes, etc. It will only work on tags that are simple open and closed tags without additional attributes.
Gravatar
Rafay Bin Ali
1/10/2010
May be if we did the stringbuilder substitution using client side javascript, then we wouldnt have to set validateRequest to false. That is, before request is sent to the server, handle the transformation at client side. I am not sure but I think such substitution would need to occur on client side otherwise there is no way around validateRequest.
Add a Comment

Name

Email Address

1 + 1 = ?

Comment