问题
How can I use the Html.TextAreaForwithout encoding it? I know it's a security risk but I have a separate class that sanitizes any text.
Example:
@Html.TextAreaFor(model =>model.PostBodyText, 10, 100, 1)
I'm planning to use it with TinyMCE.
Regards RaVen
UPDATE I'm using the new Razor View Engine.
回答1:
You will need to roll your own:
<textarea cols="100" id="PostBodyText" name="PostBodyText" rows="10">
@MvcHtmlString.Create(Model.PostBodyText)
</textarea>
Of course in terms of security this could be very dangerous as your site is now vulnerable to XSS attacks. So the question is why having a separate class that sanitizes all the text when you can simply rely on the HTML helpers to do the job for you?
回答2:
As an alternative option you might wanna use ValidateInput as described here. An example in MVC style would be:
[ValidateInput(false)]
public ActionResult Method(){
return View()
}
[ValidateInput(false)]
[AcceptVerbs(HttpVerbs.Post)]
public ActionResult Method(){
// your stuff here
RedirectToAction("index"); // or something
}
I think that is more the MVC way to go. Now your controller tells you there is a security issue in that controller method. Your view can be any normal view using html helpers etc. Note that this enables all sorts of input, not filtered. It will work with TinyMCE though.
//edit
woops I see you need to add
<httpRuntime requestValidationMode="2.0"/>
to webconfig as well in new versions of MVC. Guess it might not be the way to go.
回答3:
Use [AllowHtml] on the model property. As I learned in In ASP.NET MVC 3, how do I get at the model using Razor Syntax in a Create() View?.
来源:https://stackoverflow.com/questions/4245431/asp-net-mvc3-html-textareafor-without-encoding