I have an ecommerce gift store where users can fill out a gift-card for their recipient.
In order to fill out the card, I have the users enter text into a multiline textbox.
When I display the gift-card on the final review page, I have to spit out the information with Html.Raw so that Newlines are being displayed properly. I'm doing this:
@(Model.GiftCard.Text != null ? Html.Raw(Model.GiftCard.Text.Replace(char.ConvertFromUtf32(13),"<br />")) : Html.Raw(""))
I'm frightened that i'm entering dangerous territory using Html.Raw on values that were user-entered. However, when I go back to the gift-card entry page, the page breaks when I try to do something like "This is my gift card! (scripttag)alert('test');(/scripttag)"... so I feel like .net will catch any malicious entries during that point.
Am I safe to proceed like this? It seems that since the gift-card entry page is running validations against malicious code, I should be okay to use HtmlRaw later to display newline html that I'm putting in myself...
(I replaced the actual script tag with this (scripttag) thing above so it will show in stackoverflow)
Use a regular expression in your view model to make sure people only enter A-Za-z0-9 and whatever else you think should use such as :) =] type of stuff. Screening this stuff front end is better than second guessing it on the way out.
How about using a <pre></pre> tag instead? This would allow returns to display in HTML without the need for Html.Raw?