HTML Online Decoder

Every time a user posts something containing < or > in a page in my web application, I get this exception thrown.

I don't want to go into the discussion about the smartness of throwing an exception or crashing an entire web application because somebody entered a character in a text box, but I am looking for an elegant way to handle this.

Trapping the exception and showing

An error has occurred please go back and re-type your entire form again, but this time please do not use <

doesn't seem professional enough to me.

Disabling post validation (validateRequest="false") will definitely avoid this error, but it will leave the page vulnerable to a number of attacks.

Ideally: When a post back occurs containing HTML restricted characters, that posted value in the Form collection will be automatically HTML encoded.So the .Text property of my text-box will be something & lt; html & gt;

Is there a way I can do this from a handler?

I am trying to parse a string of HTML with ruby, this string contains multiple <pre></pre> tags, I need to find and encode all < and > brackets in between each of these elements.

Example: string_1_pre = "<pre><h1>Welcome</h1></pre>"string_2_pre = "<pre><h1>Welcome</h1></pre><pre><h1>Goodbye</h1></pre>"def clean_pre_code(html_string) matched = html_string.match(/(?<=<pre>).*(?=<\/pre>)/) cleaned = matched.to_s.gsub(/[<]/, "&lt;").gsub(/[>]/, "&gt;") html_string.gsub(/(?<=<pre>).*(?=<\/pre>)/, cleaned)endclean_pre_code(string_1_pre) #=> "<pre>&lt;h1&gt;Welcome&lt;/h1&gt;</pre>"clean_pre_code(string_2_pre) #=> "<pre>&lt;h1&gt;Welcome&lt;/h1&gt;&lt;/pre&gt;&lt;pre&gt;&lt;h1&gt;Goodbye&lt;/h1&gt;</pre>"

This works as long as html_string contains only one <pre></pre> element, but not if there are multiple.

I would be open to a solution that utilizes Nokogiri or similar, but couldn't figure how to make it do what I want.

Please let me know if you need any additional context.

Update:This is possible only with Nokogiri, see accepted answer.

As ScottGu says in his blog post «by default content emitted using a @ block is automatically HTML encoded to better protect against XSS attack scenarios».My question is: how can you output a non-HTML-encoded string?

For the sake of simplicity, pls stick to this simple case:

@{ var html = "<a href='#'>Click me</a>" // I want to emit the previous string as pure HTML code...}

Are they the same as XML, perhaps plus the space one ( )?

I've found some huge lists of HTML escape characters but I don't think they must be escaped. I want to know what needs to be escaped.

I am using a rich text editor to type formatted text, as shown below:

I can get the HTML formatted text, which would look like this:

<p>This is my rich HTML Text</p>

Now I want to pass this HTML formatted text to my controller and my controller would put the text in an email and send it to the receiver.

The problem is HTML string is considered unsafe, so in order to pass it to my controller, I need to add [ValidateInput(false)] attribute to my Action method, like below:

    [ValidateInput(false)] // <-- not able to hit the action method without this    [HttpPost]    [AllowAnonymous]    [ValidateAntiForgeryToken]    public async Task<JsonResult> Contact(string message)    {        if (!HttpContext.User.Identity.IsAuthenticated)        {            return Json(new { Authorize = "false" });        }        // email message to receiver    }

And this is the Ajax method which contacts the controller:

$('#contactBtn').click(function () {    var form = $('#__AjaxAntiForgeryForm');    var token = $('input[name="__RequestVerificationToken"]', form).val();    var message = quill.root.innerHTML; // <-- HTML formatted message    $.ajax({        url: "/Communication/Contact",        data: { __RequestVerificationToken: token, message: message },        dataType: 'json',        type: "POST"    });});

So the above code works, but I am not sure if this is the right thing to do? Is there any security issue with the above code? Is there any encoding that I need to do on the HTML?