Allow for “<<” to be submitted, without disabling “validaterequest”

Question

I'm wondering if anyone knows of a way to allow something like "<<" to be submitted, without setting validaterequest=false

I have a creole parser, and the recommended plugin/macro syntax is:

<<macro-name argo0=foo arg1=bar argN=qux>>

Answer 1

I wrote a little 'encodeMyHtml' JavaScript function that is called on the OnClick event when the HTML form's submit button is clicked. The function encodes the user's HTML input for the field I've specified into a harmless string before it is passed to the server. When I receive that input on the server I simply decode and go on my way.

ValidateRequest is happy, our users are happy, our peers are happy, heck we're happy.

I add my 'encodeMyHtml' JavaScript function in my user control's OnPageLoad method. This way I can make sure that my JavaScript is added to the parent page only once, no matter how many controls are on the page.

In my control's OnPageLoad I call this:

private void addEditorJavaScript()
{
    // create our HTML encoder javascript function
    // this way it shows up once per page that the control is on
    string scr = @"<script type='text/javascript'>function encodeMyHtml(name){
                var content = document.getElementById(name).value
                content = content.replace(/</g,'<');
                content = content.replace(/>/g,'>');
                document.getElementById(name).value = content;
            }</script>";

    // add the javascript into the Page
    ClientScriptManager cm = Page.ClientScript;
    cm.RegisterClientScriptBlock(this.GetType(), "GlobalJavascript", scr);
}

In my control's ASPX I'm using a gridview. I wrap the gridview's update asp:LinkButton in a span tag, and in that span tag I put my OnClickEvent.

<span onclick="encodeMyHtml('<%# UniqueID.Replace("$", "_") %>_FormViewContentManager_ContentTextBox')">
    <asp:LinkButton ID="UpdateButton" runat="server" CausesValidation="True" CommandName="Update" Text="[Publish]" />
</span><span onclick="encodeMyHtml(' 

When I get the input on the server side I simply call a couple of Replace methods on the input string to decode the HTML, and I'm done.

Answer 2

You could do a javascript regex replace for "<\\S" on the specific field on form submit. But it would fail for browsers that don't support javascript.

Answer 3

You can encode the "<<" on the client using Javascript:

<script language="javascript">
function encodeString(str) {
   return str.replace(/</gi, '&lt;').replace(/>/gi, '&gt;');
}
</script>

And then on the server use Server.HtmlDecode to return the string to its original form.