Request validation is enabled by default in ASP.NET and it basically stops people from submitting a form with HTML in any of the input fields. It’s a little more sophisticated than that, but basically it just looks for HTML tags and if it finds any, it throws an exception and the form is prevented from being posted.

However, you often want people to be able to write HTML tags in your forms. That’s why most people turn it off either globally in web.config or on the individual pages hosting a form and then just HTML encodes the values. I’ve done it reluctantly myself many times, but there is a smarter way to allow HTML input without turning request validation off.

What if we could just HTML encode all input fields just before the form is submitted? That way we could benefit from request validation and the security it offers out of the box. By having request validation enabled, you also make it impossible for spambots to post links in your form.

The easiest way of doing this is to create a custom server control that inherits from System.Web.UI.WebControls.TextBox and add a little JavaScript magic. I’ve written a SafeTextBox class that HTML encodes its value client-side and then HTML decodes the value again server-side. That way it can be treated just like a normal TextBox.

[code:c#]

public class SafeTextBox : System.Web.UI.WebControls.TextBox
{
 protected override void OnLoad(System.EventArgs e)
 {
  base.OnLoad(e);
  if (!Page.ClientScript.IsClientScriptBlockRegistered(Page.GetType(), "TextBoxEncode"))
  {
   System.Text.StringBuilder sb = new System.Text.StringBuilder();
   sb.Append("function TextBoxEncode(id)");
   sb.Append("{");
   sb.Append("var tb = document.getElementById(id);");
   sb.Append("tb.value = tb.value.replace(new RegExp('<', 'g'), '&lt;');");
   sb.Append("tb.value = tb.value.replace(new RegExp('>', 'g'), '&gt;');");
   sb.Append("}");
   Page.ClientScript.RegisterClientScriptBlock(Page.GetType(), "TextBoxEncode", sb.ToString(), true);
  }

  // Adds the function call after the form validation is called.
  if (!Page.IsPostBack)
   Page.Form.Attributes["onsubmit"] += "TextBoxEncode('" + ClientID + "');";
 }

 public override string Text
 {
  get { return base.Text; }
  set
  {
   if (!string.IsNullOrEmpty(value))
    base.Text = value.Replace("&lt;", "<").Replace("&gt;", ">");
   else
    base.Text = value;
  }
 }
}

[/code]

The way the SafeTextBox HTML encodes/decodes is not very sophisticated but it works. You can add your own logic to the encoding/decoding if you feel the need.

To roll this out on your own website, just dump the SafeTextBox class in the App_Code folder and hook it up using tag mapping.

Recently I started working at ZYB and haven’t seen all the code yet. Then the other day I fell over a special section in our web.config called tagMapping. I’ve never heard about it before so I asked around and did a little detective work. Basically, it’s a way to turn all instances of a type into another type at compile time. In human language it means that it can turn all e.g. System.Web.UI.WebControls.Textbox instances in the entire website into another control.

That is so cool that I had to do a little example. I’ve created a very simple control that inherits from a TextBox and overrides the Text property so that it HTML encodes the text. I placed it in the App_Code folder and called it SafeTextBox.

[code:c#]

public class SafeTextBox : System.Web.UI.WebControls.TextBox
{
  public override string Text
  {
    get
    {
      return base.Text;
    }
    set
    {
      base.Text = System.Web.HttpUtility.HtmlEncode(value);
    }
  }
}

[/code]

Then I needed to hook the tag mapping up in the web.config to convert all the text boxes into SafeTextBox instances. It simply converts all TextBox instances on the entire site. Here is what’s needed in the web.config:

[code:xml]

<pages>
  <tagMapping>
    <add tagType="System.Web.UI.WebControls.TextBox" mappedTagType="SafeTextBox"/>
  </tagMapping>
</pages>

[/code]

That is one smart way of applying your own server control substitute classes on a site wide basis. I'm still a little frustrated by the fact that I didn't know about this before very recently.