如何允许HTML格式的用户输入 [英] How to allow HTML formatted user input

问题描述

我需要在asp.net应用程序中接受HTML格式的用户输入.输入的示例:
<p style="font-family: arial, sans-serif; font-weight: normal; font-size: 10pt; text-align: center"></p>

我正在使用 tinymce [潜在危险的输入 [属性添加到Page指令来在页面级别进行验证.然后HMTL对所有输入进行编码.

但是，即使我已将属性添加到page指令中，该页面仍会引发HttpRequestValidationException异常.我检查了我的web.config，那里没有任何东西.

有什么我想念的吗?我还能如何关闭页面验证，以便接受HTML格式的用户输入?

p.s.我的一个想法是在页面发布之前使用javascript编码输入，但是，如果可能的话，我宁愿处理后面的代码.

I need to accept HTML formatted user input in my asp.net application. An example of the input:
<p style="font-family: arial, sans-serif; font-weight: normal; font-size: 10pt; text-align: center"></p>

I am using tinymce[^] to format the controls. Before I send the text to the client, the text is HTML encoded and it shows in the control ok.

Now I want to receive the change from the user. ASP.NET blocks potentially dangerous inputs[^] such as HTML tags for security reasons. If someone tries to post such input then the page throws an exception such as.
System.Web.HttpRequestValidationException (0x80004005): A potentially dangerous Request.Form value was detected from the client

The work around is to turn validation at the page level by adding ValidateRequest="false" attribute to the Page directive. Then HMTL encode all inputs.

But, even though I have added the attribute to the page directive, the page still raises HttpRequestValidationException exception. I checked my web.config and I don''t have anything there.

Is there something I missed? How else can I turn off page validation so I can accept HTML formatted user input?

p.s. One thought I have is to encode the input using javascript before the page is posted, but I would rather handle in the code behind, if possible.

推荐答案

尝试一下:

try this:

<system.web>
    <compilation debug="true" targetFramework="4.0" />
    <httpRuntime requestValidationMode="2.0" />
</system.web>

http://www.asp.net/learn/whitepapers/aspnet4/breaking-changes [ ^ ]

限制到页面级别，而不是整个应用程序.

http://www.asp.net/learn/whitepapers/aspnet4/breaking-changes[^]

limiting to a page level and not application wide.

<location path="whatever">
    <system.web>
        <httpRuntime requestValidationMode="2.0" />
    </system.web>
</location>

这篇关于如何允许HTML格式的用户输入的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！