1

I am trying to pass a HTML string as a parameter through the following means:

$.ajax({
    url: sourceUrl,
    type: "GET",
    cache: false,
    success: function (data, status, jqxhr) {
etc...
}

where sourceURL is a call to a C# Controller action with a parameter that contains a HTML string (from a Rich Text Box). Something like:

var sourceURL = "ThisController/ThisAction?Parameter=" + varWithHTML;

However it fails stating:

A potentially dangerous Request.QueryString value was detected from the client (description="<p>Rich Text String</p>").

I have tried wrapping the string in a encodeURI():

encodeURIComponent(varWithHTML)

but still the same problem. I have also another suggestion for this issue in web.config:

<httpRuntime requestValidationMode="2.0" />

And still no luck. Am I going mad or is there a way to get around this?

Improve this question
9
  • 1
    Why are you passing something with a GET request? This is why POST exists Commented Apr 19, 2018 at 22:22
  • does this ajax call send data argument? Commented Apr 19, 2018 at 22:23
  • Good point maccettura - I had quickly copied and posted some code and that snook through. derloopkat - I have placed a breakpoint on the controller action and that is not even being hit. When I check Event Viewer I get the above error message. Commented Apr 19, 2018 at 22:26
  • @CJH well if you change this to a POST and pass that HTML in the body of your POST request I imagine you wont be needing our help anymore. Commented Apr 19, 2018 at 22:27
  • I'm asking about the ajax call, not the success function. Commented Apr 19, 2018 at 22:30

1 Answer 1

Reset to default
2

You should use POST method and pass the html body as Post Body, also you need to turn off ValidateInput, you simply need to put this line above your action:

[ValidateInput(false)]//This line is to let you pass html in parameters.
public ActionResult ThisAction()

But be careful! That may put your site on risk of being Cross Site Scripting Attack (XSS) which may let a Hacker can easily edit the request when it pass on and put a javascript within it. You may need to handle that manually, as ValidateInput was made for that reason.

To avoid that you need to pass the input through Html Encoding and replace each brackets for every tag you want to be allowed only, for example:

You want to enable tag <b> </b> only, then you need to replace &lt;b&gt; to <b> and &lt;/b&gt; to </b> before you save them in data or whatever you want to do with them!

[ValidateInput(false)]//This line is to let you pass html in parameters.
public ActionResult ThisAction(string htmlString)
{
    StringBuilder sbHtmlString = new StringBuilder();

    // Encode the htmlString.
    sbHtmlString.Append(HttpUtility.HtmlEncode(htmlString));

    // Only decode bold tag and ignore anything else!
    sbHtmlString.Replace("&lt;b&gt;", "<b>");
    sbHtmlString.Replace("&lt;/b&gt;", "</b>");
    htmlString = sbHtmlString.ToString();

    //Do whatever you want with htmlString 

    return View();
}

Good Luck.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.