Allowing HTML Formatted User Input in ASP.NET

Current Article

Allowing HTML Formatted User Input in ASP.NET

Geordie Konrad

ASP.NET forms automatically reject input containing HTML tags. However, there are times when we need to allow a user to format their input - such as in comment forms. For this, we use the HtmlEncode utility method. Read on for this quick fix.

HTML Tags in User Input

Sometimes you want to let your users input text that includes custom formatting with HTML tags. For example, the rich text input fields that we are using for our commenting engine will allow you to use the or tags to modify your comment.

If you include, Bold Text in your comment, it will be displayed as Bold Text.

The problem is that, by default, ASP.NET will reject this type of input when it automatically performs a request validation when the input is submitted. To get around this, all you have to do is turn off the request validation and create a function that will search the input and allow through the types of HTML tags that you want your users to have access to. Before writing the input to a database, make sure to HTML-encode it. This will ensure that any malicious code that may be part of the input will be handled as text and not be executed.

The Quick Solution

If you want to allow HTML code to be submitted in any form on the page, you can add a simple attribute to the Page directive. Here's the code.

<%@ Page Language="C#" ValidateRequest="false"%>

The key part to this snippet is the ValidateRequest="false". What this essentially does is tells the ASP.NET validator to stop looking for HTML/XML tags that could be potentially dangerous.

In general, this is not recommended as it opens your site up to HTML injection issues when rendering a page. A more refined approach is implementing HTMLEncoding for individual input fields.

The Best Solution

Create a function that will handle the click event of the submit button. In this function, initialize a StringBuilder object and set it equal to the HTML-encoded version of the input string. Now, go back and search the StringBuilder for the tags that you want to allow and change those back to the original HTML tag.

The following snippet shows the .aspx page code for this technique. It implements a multiline textbox that allows the user to include and html tags to format his input.

<html>
  <body>
    
      
        
        
        
        
      
    
  </body>
</html>

And now, in the .aspx code handle the button click event as follows.

Conclusion

Now, users can enter HTML formatted input into the multiline textbox. This quick fix can be used for any input element and is a great way to allow for formatted comments.

User Comments

anon

3/17/2009

"In general, this is not recommended as it opens your site up to HTML injection issues when rendering a page. A more refined approach is implementing HTMLEncoding for individual input fields. "

Yeah, right. The whole concept of automatically rejecting any input with HTML in it is just ridiculous. The correct way is to escape stuff when outputting - not reject it when it's being input.

Kam

8/13/2009

dfgjhdfgh

hjkh

10/12/2009

fgjfgh

Rafay Bin Ali

12/10/2009

Your second code would still require validaterequest to be set to false, wouldnt it????

Jeff

1/5/2010

Not only would the second example still require validaterequest to be set to false but this code won't work on tags that have style attributes, etc. It will only work on tags that are simple open and closed tags without additional attributes.

Rafay Bin Ali

1/10/2010

May be if we did the stringbuilder substitution using client side javascript, then we wouldnt have to set validateRequest to false. That is, before request is sent to the server, handle the transformation at client side. I am not sure but I think such substitution would need to occur on client side otherwise there is no way around validateRequest.

HIFU

9/7/2011

Interesting to read this great article indeed because I have known many great and new things from you. Thanks a lot one more time
http://www.hifurx.com/hifu/

numai

9/15/2011

does it only work with ASP? can I use javascript to do such a work?

for example, I'm writing this comment
I click on enter
it is a new line,
new line How could I get this
without asking the user to enter
html codes!?

George

9/19/2011

@numai: Because line breaks aren't html codes.

You can do stuff like this with Javascript, but you should never rely on just Javascript to handle safe input.

Javascript is run on the client, and should be used as a convenience, a way to notify the user quicker than via a roundtrip to the server. But if the user disables Javascript, or bypasses it by modifying it, you still need the same validation server side.

9/21/2011

Click Industry Buzz link at the top of page and you will see YSOD

transfer files

9/26/2011

That was a fabulous performance, congratulation to you.
http://www.easyshare.mobi/ transfer files

unlock pdf

9/30/2011

I want to thank you for this informative read I really appreciate sharing this great post. Keep up your work
http://www.crackmypdf.com/ unlock pdf

watch online tv

10/4/2011

Thanks for this. I really like what you've posted here and wish you the best of luck with this blog!
http://www.goonlinetv.com/ watch online tv

Watch The Big Year Online for Free

10/9/2011

I am so glad i found this great blog post. I've been searching for similar information for days now.
http://watchhotmoviesonline.com/

http://watchhotmoviesonline.com/

11/16/2011

The way you just did. I’m really impressed that theres so much about this subject
http://watchhotmoviesonline.com/

scagdg

1/1/2012

wfaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaawfaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaawfaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaawfaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaawfaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaawfaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaawfaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaawfaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaawfaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaawfaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaawfaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

sdaf

1/1/2012

Bimbim9x

1/13/2012

This is one of the best post I found so far. The contents are very good and very informative.I subscribed to your RSS feed by the way!Thanks, this is really cool!
http://www.americangrassturf.com/ artificial turf

artificial turf

1/13/2012

Great blog, I’m going to subscribe to your feed.
http://www.americangrassturf.com/ artificial turf

smith

1/28/2012

I completely agree with you. I have no point to raise in against of what you have said I think you explain the whole situation very well
[http://www.essayhelppros.co.uk/uk-essay-help.php essay writing help]

chinsu1087

2/3/2012

That was a fabulous performance, congratulation to you.
http://www.globolstaff.com/ Virtual Assistant Services

chinsu1087

2/3/2012

I really loved reading your blog. It was very well authored and easy to understand. Unlike additional blogs I have read which are really not good. I also found your posts very interesting. In fact after reading, I had to go show it to my friend and he enjoyed it as well!
http://www.globolstaff.com/ Virtual Assistant Services

Essay Writing Service

2/3/2012

of what you have said.you possess lots of understanding on this subject.

Add a Comment

Name

Email Address

1 + 1 = ?

Comment

iphone application development konrad group

android application development konrad group

windows phone 7 development konrad group